With the overturning of Roe v. Wade, privacy is in the headlines. In many states, information about who paid an abortion clinic, took an Uber to a pregnancy advice center, or booked a flight to a state with different abortion laws has become even more fraught than typical private information, pushing companies across various industries to reexamine their data protection levels.
Privacy around healthcare is nothing new. Most people prefer to keep it to themselves if they’ve gone to the doctor about a worrying-looking mole on their arm, and don’t want the whole world knowing about their visits to a psychiatrist. Indeed, each person is entitled to privacy around their physical and mental health.
Everyone leaves data footprints
It’s close to impossible to avoid leaving a data imprint about our lives. We have phones with GPS enabled by default, and use apps that gather tons of data about the sites we visit, people we contact, and places we go. Few people use cash these days, and it’s not even possible to use cash anymore for many types of purchases.
It’s not always as simple as saying that companies shouldn’t gather sensitive data in the first place. Sometimes they have to, for accounting and compliance needs. Unlike Google, which quickly volunteered to delete users’ location data for visits to abortion clinics, most other companies cannot simply delete a transaction since they must comply with governmental regulations. For example, taxi companies have to log the start and end points of their journeys and any payments received; modern apps typically track exactly who ordered the ride as it gets billed to their account. Credit card companies can’t delete customer payment histories just because there’s a payment to a psychiatric institution or abortion clinic. Airlines can’t remove passenger lists. And health care facilities must maintain medical records.
As a result, a data breach can cause serious damage, and not only for companies in the healthcare sector, which is why businesses need to give fresh attention to data protection policies. Here are 5 steps you should be taking to protect data and reduce the risk of breaches.
1. Data minimization
The only data you collect should be data you need, so review your data collection policies and look for anything that you can cut out. For example, brands often collect customer dates of birth for loyalty programs or analysis, but is it really necessary? Frequently, analytics are just as effective if you use age groupings instead of the year of birth.
2. Data exposure
Once collected, data can end up in all kinds of places, so it’s important to review where your data is stored. Does sensitive data end up included in plain text logs if there’s a technical error or a glitch that needs to be resolved? Is it being sent to storage which doesn’t have encryption, auditing or an access management module? There’s a risk that someone could see data and abuse that information.
3. Data access
Your data privacy is only as strong as your weakest third party relationship. Investigate all your third party connections and check each of their data policies to confirm that you’re aware of how they use and store your data. Ensure that you are sharing only what is needed and that you have an opt-out in place. It’s remarkably easy for data to end up with a non-authorized third party that either misuses data or doesn’t store it securely.
4. Data retention
Removing data promptly is key to protecting customer privacy. You might need to keep their credit card number, but do you need their location at the time of payment, for example? Sometimes data is only needed for a limited period of time, like until you’ve completed your quarterly audits. All data should be deleted promptly as soon as it’s no longer needed.
5. Data segregation
Data segregation is a best practice for data privacy, but it can be complicated to implement, requiring support from a data architect or other data science expert. It involves separating data so that personally identifying information is stored in a different location from sensitive data, for example data about their purchase amount, taxi ride destination, or diagnosis. This way, if one database is hacked, there’s still no way to connect a specific customer with a specific activity.
Data privacy has never been so important
We’ve been hearing about data breaches for years, but the Supreme Court’s recent decision is a timely reminder of just how sensitive data could be. To ensure that everyone has privacy around their physical and mental health, every company needs to review their data protection policies and actively look for ways to harden their data security profile.
Contact Privya today to learn how to build privacy into your development cycle from day one.
Privya shifts left on privacy, so data protection can be dealt with as part of the development life cycle, preventing compliance violations. Privya’s data privacy code scanning platform translates the requirements of privacy related regulations such as GDPR, CPRA, etc., and compliance best practices into an automated architecture, ensuring privacy requirements are met at the initial point of development, so that bad privacy practices never make it into production.