Data protection and privacy overview
Business and personal data is valuable. Unauthorized disclosure or access, processing, or use of personal or business data can cause large losses for individuals and companies.
An ever-increasing amount of data resides in many locations, such as devices, an organization's file servers, and cloud storage services. Data can also be accessed from various locations, by using many different devices. The risk of data leakage, misuse, and loss is greater than ever before.
It's important for companies and individuals to understand the need for data protection and learn necessary skills to help protect their data. The importance of data protection increases with the amount and sensitivity of data created and stored.
Data protection and data privacy
Data protection relates to helping protect data from unlawful or unauthorized access, use, destruction, damage, or loss. Data privacy focuses on the collection, use, and permissible handling of personal data, and what rights an individual has to control the data that's been collected about them.
Data protection generally pertains to technical control over data. Data privacy typically refers to legal or regulatory requirements. Data protection doesn't ensure data privacy or vice versa.
Data protection
Data protection consists of processes, procedures, and technologies that can help safeguard valuable information from corruption, compromise, or loss. It's important to recognize that no single product or technology can guarantee data protection. Rather, a combination of available procedures, technologies, and products might be necessary to protect data.
To plan and implement data protection measures, consider the following factors:
The sensitivity of the data type. Not all data needs the same level of protection or benefits from the same data protection approach. For example, some personal data such as email addresses might not require the same protection as more sensitive data like social security numbers and health information.
Where the data is stored. Appropriate data-protection technologies and methods might depend on where your data is stored. For example, you might use different data protection for data stored on your mobile device than for data stored on your company's file server or in the cloud.
Applicable data-protection requirements and regulations. Laws and regulations may define specific data-protection requirements. Work with your legal team to ensure you have a solid knowledge of these requirements and how they apply to your business.
Technologies that enable data protection. No single technology ensures complete data protection in every scenario. Become familiar with all the available platforms, processes, and technologies that are appropriate for your specific needs.
No single approach or technology guarantees data protection. However, the following key principles are important in designing a data-protection strategy.
Implement some level of data protection at data creation or collection that persists with the data throughout its lifecycle.
Ensure that organization personnel understand data sharing, and are aware of what data they share, who they share it with, and how they share it. Controlling data access and sharing is a key part of data protection.
In addition to protecting specific data, make sure to protect user identities, the devices on which users access data, and network traffic.
Data privacy
Data privacy typically addresses concerns such as:
- Which entities can collect data.
- Which entities can access data.
- What organizations can do with the data they've collected.
- How long organizations can retain data.
- What level of control individuals have over their data.
Privacy laws and regulations
Various laws define the rights of people and companies to control who uses their data, and set forth requirements for handling different types of data. Many countries/regions, and in some cases specific states, have laws or regulations that address privacy and the protection of personal data. The following units provide more detail about these privacy laws.
In general, privacy law and regulations set forth a legal framework about how organizations, and in some cases, individuals, can collect, use, and store personal data. In most cases, laws and regulations don't define or prescribe specific technologies that organizations must use to protect data privacy. Organizations must identify compliant technologies, operations, and other appropriate data privacy protection measures.
Define data privacy compliance
Your internal compliance framework should focus on principles and procedures for data access, use, and protection. The design of your organization's internal data-handling policies must reflect the legal and regulatory requirements that apply to your organization and the data being handled.
Data protection officers (DPOs) must understand data-handling requirements based on their state and country/region's laws and regulations and their organization's internal policies. DPOs can then define appropriate procedures and technologies for data collection, storage, and protection.
Microsoft provides compliance offerings that can help your organization align with national/regional and industry-specific data collection and usage requirements. A later unit describes these offerings.