As a information technology professional it is important that you understand your role in maintaining data privacy and practicing data security measures to protecting the data that you manage from unauthorized access. This can be challenging because we live in a time where the rules and regulations surrounding data privacy and security is still evolving to keep up with technology. First, let's identify a few terms we will use in this lesson. Then, we will dig into some recent legislation -- the GDPR!

You will be able to:

• Describe GDPR and its impact on data privacy
• Identify and describe PII, PHI, PCI, and other data of a sensitive nature
• Describe the impact and prevention of data breaches

Data privacy refers to the right of individuals and organizations to protect their data from unauthorized access. When companies and organizations collect data from users, users have a right to know what data is being collected, how the data is used, and who might have access to it.

Data security refers to the set of actions and tools used to maintain the privacy of the data. Essentially, data professionals have a responsibility to implement security measures in order to maintain privacy.

Data governance (DG) is the set of processes and operations that an organization will apply to maintain standards of privacy, security, and integrity as data is accessed and used across the organization.

The General Data Protection Regulation was passed on April 14th 2016 by the European Union and went into effect on May 25th 2018. GDPR protects the data rights of all European citizens and is an example of how legislation will have to change and adapt to the digital era of the 21st century. GDPR stipulates that:

GDPR has implemented more widespread regulations that include penalties of up to 4% of a company's earnings for the failure to adhere to GDPR's stipulations. The stringent policies of the GDPR have encouraged international platforms to adhere to the GDPR's standards in most countries to avoid accidental violations, allowing for an increase in privacy for users world wide.

Personal Data and Sensitive Personal Data are data that require a lawful basis to be collected, as prescribed by GDPR. A lawful basis can include:

1. consent from the subject
2. to fulfill a contractual obligation entered into by the subject
3. to comply with the data collectors legal obligations
4. to protect the data subjects vital interests
5. for the public interest
6. to pursue the legitimate interests of the data controller

Recent legislation, namely the European Union's GDPR (Global Data Protection Regulation) has articulated some key concepts in privacy regulation that have been widely adopted across the industry in an effort to remain in compliance with the EU's legislation. Below, we will define the language of GDPR to help us better understand what personal and sensitive data are and how we can responsibly manage it.

Personal data (also known as Personal Indentifiable Information or PII) is any piece of information or combination of information about a living person that can be used to identify them with reasonable accuracy. This can include, but is not limited to:

• Name, address, phone number, and email
• Social media handles
• Name and Employer
• Name and Schedule
• IP addresses

Sensitive personal data is outlined by GDPR as a specific set of special categories that must be treated with extra security. These categories include:

• Racial or ethnic origin
• Political opinions
• Religious or philosophical beliefs
• Trade union membership
• Genetic data
• Data related to sexual orientation
• Unique biometric data

Before GDPR, numerous regulations existed to govern the use of personal data in the medical sphere. In the United States, the HIPAA Privacy Rule established national standards to protect individuals' medical records and other individually identifiable health information (known as protected health information or PHI). The Privacy Rule stipulates appropriate safeguards to protect PHI and limit how the information can be disclosed without the consent of the patient. It also gives individuals rights over their protected health information, including the right to obtain copies of their records.

Additionally, PCI (Payment Card Information) is also of a sensitive nature and should be protected. To ensure that security standards were being applied consistently across the industry, credit card companies developed the PCI DSS, which is a set of security requirements developed for sensitive credit cardholder data. These requirements are not optional and apply to anyone who stores, processes, transmits or otherwise has access to credit cardholder data. It also applies to all system components included in or connected to or the cardholder data environment. Special training is required for people with access to credit cardholder data.

A data breach is when confidential, sensitive, or protected information is exposed to an unauthorized person. Files from a data breach can be misused in a number of ways, including identity theft. Data breaches occur often on both a large and small scale. The damage that ensues depends on the kind of data that is exposed. In September of 2017, Equifax announced it experienced a data breach, which impacted the personal information of approximately 147 million people. This resulted in a class action lawsuit and subsequent settlement. Equifax denied any wrongdoing and no judgment or finding of wrongdoing was made.

The Equifax incident highlights the fact that we cannot always rely on companies and/or the government to create sufficient regulations to protect user data. Despite Equifax being a reputable company, they were still vulnerable to attack because new exploits will always exists. This is why it is important that we manage data privacy on a user level to the best of our ability. Simple things such as using a password manager and two-factor authentication to protect your credentials can do a lot to limit your exposure in the event of a data breach.

Preventing data breaches requires that companies, governments, and individuals all take action to protect personal information at all stages. This includes designing hardware and software with privacy in mind to limit data collection and establishing and enforcing rigorous policies to protect information that is collected.

In addition to the responsibility of the government and companies, users also share the responsibility of keeping data secure. As an information technology professional, it is especially important that you effectively manage the security of your equipment and credentials to prevent unauthorized access to user data.