What are the questions for data privacy?

Important Data Privacy Questions

 How Good have we strategized our data? ...
 How good are we at building privacy and ethics in using the data? ...
 Are there security solutions to manage your data privacy program? ...
 Do we have mechanisms in place to destroy or delete data if requested to do so?

Else
1. Are we prepared for a data breach?
While it’s a broad question, it’s probably one of the most important when it comes to protecting data
and safeguarding your customer data. You can probably surmise the answer to this question once
you’ve successfully answered most of the questions we cover below.
In today’s threat landscape, you need to be able to handle security incidents and events with a well-
documented strategy and process. It also helps to practice handling data breaches with your team
during regular tabletop security exercises. These exercises help your team gauge and improve the
ability to handle security incidents and data breaches in the future.
2. Do we incorporate ‘privacy by design’ into our IT
systems?
If you take a ‘privacy by design’ approach to security, you approach your security projects by
incorporating privacy and data protection from the start. Leveraging this approach helps your
organization when complying with global data privacy regulations.
Consider incorporating ‘privacy by design’ when:
 Deploying any new IT infrastructure that stores or processes personal data
 Implementing new security policies or strategies
 Sharing any data with third parties or customers
 Using data for any analytical purposes
By incorporating ‘privacy by design,’ you are helping to minimize the risk of data loss. If you design
your projects, processes, and systems with privacy in mind, you can identify problems early on and
raise the level of awareness for privacy concerns in the organization.
3. Have we conducted a Privacy Impact Assessment
(PIA)?
A PIA is a beneficial tool used to identify and reduce the risk of poor privacy practices in your
organization. These assessments reduce your risk of mishandling personal data.
Key stakeholders are involved in a PIA interview which results in identifying potential privacy
problems and offers recommendations on how to address challenges. Ultimately, a PIA will help an
organization and security team develop better policies and systems for handling sensitive personal
data.
4. Are we able to measure and demonstrate
compliance with global data privacy regulations?
 Demonstrating compliance with global data privacy regulations is a long-term outcome of
implementing the right privacy and security controls with your people, processes, governance and
technology. It requires a steadfast approach to each of these areas.
Unfortunately, managing data privacy can’t be treated as a check-box exercise. Global data privacy
regulations are often loosely structured and can be interpreted in many ways. There’s no defined
standard of security controls on how an organization should handle personal data and privacy. In
reality, managing data privacy is about creating a comprehensive governance framework that’s
suited to your business alone.
5. Have we identified and inventoried our data assets
and processes used to process and store personal
data?
If you don’t know what data assets you hold, it’s difficult to assess what impact you might have from
a data breach. You must identify and confirm with key stakeholders what data the organization
stores or processes. This can be done via interviews that determine where your data repository
locations reside.
Make sure you investigate the following areas where data
typically resides:
 Applications (e.g., email, web, OS, etc.)
 Folders (e.g., shared network, local)
 Databases
 Cloud and Third Parties
 Removable media
 Physical locations (e.g., cabinets, safes)
 Test and Development networks
And, make sure you inventory data across the following
areas:
 Information Technology
 Application Logs
 Database Logs
 Endpoint Data
 Operations
 Customer Cardholder Data
 Operational Data
 Supplier Contracts
 HR & Payroll
 Employee Personal Data
 Employee Payroll Data
 Employee Medical Records
 Legal
 Acquisition and Divestment Information
 Third-Party Litigation Files
 Legally Privileged Information
 Financial
 Company Tax Returns
 Investor Information
 Shareholder Reports
 Customer Service & Sales
 Customer Contracts
 Company Pricing
 Customer Data
Scanning your entire network for data in these areas will help you assess and categorize what data
could be impacted by a breach. This data mapping exercise can also help you categorize data
according to sensitivity.
6. Have we classified our data according to risk (high,
medium, low)?
After completing the data mapping exercise noted above, you can begin to rank your data according
to risk and sensitivity. You might discover that if certain data is stolen or lost, it could significantly
damage your relationship with customers or your own business operations.
Having a sense of what data is at risk during a breach also helps your security team harden
defenses and strategize how to protect organizational data. If they know that certain data is at risk,
they can prioritize their time on a solution to protect these assets. They can also setup alerts using
various security technologies to know if unusual activity occurs with these data types.
7. Who has access to our various data assets?
Another important question to ask is who has access to this information and is their access
necessary for business operations. You may find that some of your end users have privileged
access to sensitive data that they should not hold. You may also discover that these users are
transmitting or storing sensitive data that poses a high risk for loss.
With this information, you can begin to revise your security policies to remove privileged access to
sensitive data sources. You can also protect your endpoints from data exfiltration with appropriate
security technologies. Or, if users need access to sensitive data and you are still concerned about a
threat actor stealing these assets, you might deploy a data masking or encryption tool to hide
sensitive data.
8. Have we calculated the financial impact of high-risk
data if leaked?
It’s important to know the financial impact of a potential data breach. If you want to estimate the
probability of a data breach and its financial impact on the business, consider using the Ponemon
Institute’s report on average breach costs. See Figure below on average per capita breach costs in
each industry.
The average cost per capita for US companies in 2016 was $221. The probability of a breach that
would carry a cost equivalent to a 10,000-record loss in the United States is 24% over the next 24
months – 26% globally. You can take this information and calculate the cost of records stolen or lost
using this information. Check out our US Technical Director’s example on how to use Beckstrom’s
Law with Ponemon Institute’s report to calculate a data breach cost estimate.
9. Do we have the processes and resources in place
to support data access requests from individuals?
Under the General Data Protection Regulation (GDPR) legislation, individuals can now request
access to their data, find out if their data is being processed, and request a transfer of their data to
another system. You must put in place a mechanism by which to retrieve all their data and securely
transfer the data to the individual.
This information must be provided free of charge and without “undue delay.” You should also
consider who will be designated to handle these requests. Some firms may need an appointed Data
Protection Officer while others will need someone that can simply handle these requests.
10. How are we capturing data? Do we have the right
level of consent?
With new global data privacy laws, organizations need to take an in-depth look at how they acquire
personal data of all types. This even includes basic personal data such as first and last name. Any
personally identifiable information could be used by threat actors to compromise your network. And,
under global data privacy laws, you can be fined heavily for a data breach with significant impact to
individual data subjects.
Organizations need to review the methods of acquiring personal data and confirm if all information is
necessary. Organizations should not ask for more data than is necessary for successful operation.
11. Have we updated our privacy notices and privacy
policies?
When is the last time you updated or even read your privacy notice? Probably a long time ago, right!
With new global data privacy laws, it’s a requirement that personal data is processed in a
transparent manner.
This means that your organization must be upfront, informative, concise, and support lawful data
processing. A privacy notice or policy must be delivered to data subjects before or as soon as
reasonably possible after the organization collects their data. The privacy policy should be executed
with key stakeholders in your organization, including legal, marketing, and any other department that
participates in active data collection and processing. Write your privacy policy clear and plain
language. Avoid legalese!
12. Do we have up to date records of all data
processing activities?
Like the points above, your organization needs to keep a record of how and when data records are
processed. Find out what systems use personal data records for processing and storage. This will
help your security team understand how systems need to be protected and they can create a
strategy for layered threat defense and protection.
Not only for your internal team, but the data processing register may also be required by EU
authorities if there is a data breach investigation by authorities. You want to have this in place, so
you can share where and when data is processed. The data processing register is also helpful to
document any new processing activities as well as implement a process for every department that
collects personal data.
13. How long do we keep data? Do we have a data
retention schedule in place that in line with legal and
regulatory compliance?
A data retention schedule or records retention schedule is another document or mechanism your
organization needs to have in place to safeguard personal data. The retention schedule defines how
the organization aligns with legal and compliance recordkeeping requirements. Therefore, it defines
how long data records are kept on file and when they are disposed of in a controlled manner.
The data retention schedule also helps inform employees on the appropriate methods for destroying
or deleting data that is beyond the retention schedule.
By not having a data retention schedule in place, you may be putting your organization at risk for
data loss or theft. If your organization has completed the data mapping and classification exercises,
you can then associate each risk type completed during your data mapping exercise with an
associated retention period.
14. Do we have mechanisms in place to destroy or
delete data if requested to do so?
Once you’ve defined your data retention schedule and you know when data records can be deleted,
you then need to understand how data should be properly deleted or destroyed. Your employees
need to know how and when to destroy or delete data. Your security department should also follow
an industry standard like NIST’s Guidelines for Media for sanitizing and clearing storage devices.
15. Do we have a regular or ongoing data audit
process set up for the future?
At least once per year, your team should evaluate your data retention schedule and determine if it
aligns with legal and regulatory requirements for your industry. You might find that you need to
shorten or lengthen the amount of time data is kept within your recordkeeping system.
The data audit is also a time when you can answer questions about your data such as what data are
we collecting now, where are we storing data, how are we protecting data, what’s the process for a
data access or deletion request, and who takes responsibility to respond to data requests. The
situations and outcomes to all the questions will likely change over time. You may have a different
method for collecting information, or you may have someone that leaves who handles data access
requests. It’s important that you stay ahead of these changes and make sure your business adapts.
16. Do we regularly review and monitor applicable
security controls for securing data?
Your security team should be lockstep with the organization in setting up security controls to protect
and secure personal data. Much like the review of your data audits, the security team should be
responsible for regularly reviewing the security controls in place to secure data. These controls
include anti-malware, SIEM and log management, endpoint protection solutions, encryption, data
masking, and any other applicable security tool or technology responsible for securing data and
detecting data breaches.
If would also be beneficial for your security team to regularly review how their security practices
stack up against an industry best practice standard, e.g., NIST, SANS, ISO, COBIT, etc. You can try
out a self-assessment tool like this one to get a maturity rating on your current operations.
{{cta(’23cbe895-7113-4ce0-a008-255d9c6575f7′)}}
17. Do we have a way to monitor and detect security
incidents continuously?
 Organizations can now be fined if they don’t report a security incident to authorities under global
data privacy laws. Therefore, it’s important that your security team can quickly monitor and detect
security incidents as soon as they happen.
According to FireEye, the average dwell time for a cyber breach is 146 days, nearly five months.
Having the ability to monitor and detect threats in real-time is a game changer. The risk of not
detecting various cyber threats puts your organization at risk for a major data breach.
18. Have we set up appropriate incident management
procedures to handle a security incident?
Once you’ve detected a security incident, it’s even more important that extensive triage, breach
reporting, containment, and threat eradication occur. An incident response plan helps clarify the
course of action when handling security incidents.
Global data privacy law now mandates that organizations implement a mechanism to ensure
ongoing confidentiality, availability, and resilience of data processing. Therefore, incident response is
a means of protecting personal data across all these areas. Hackers will try all avenues to reach
sensitive personal data. A data breach involving any personal data that results in destruction,
alteration or unauthorized disclosure could put your organization at risk. It’s important that your
security team also regularly reviews their incident response plan and playbook.
19. Do we know who and how to notify an impactful
security breach?
The financial penalties for not reporting a data breach or having inadequate technical or
organizational measures in place can be extreme. The team handling incident response needs to
understand breach reporting requirements under new global data privacy legislation.
The team must also come forward and report a breach if any significant amount of personal data
was lost, altered, or disclosed without authorization. A notification to the supervisory authority should
be included in the incident response plan and the data subjects should be notified as well. The major
point here is that organizations need to have an incident response plan for proper breach
notification. If the organization doesn’t have a formalized incident response plan it’s more likely to
face severe penalties.
20. Do we need to appoint a Data Protection Officer?
Lastly, your organization needs to determine who will handle data access and deletion requests.
Under the GDPR specifically, you may need to appoint a Data Protection Officer (DPO) who handles
these requests and communicates with EU supervisory authorities directly. A DPO helps the
organization monitor GDPR compliance, advise on data protection obligations, advise on Data
Protection Impact Assessments (DPIAs), and acts as a point of contact with the supervisory
authorities and data subjects.
Under the GDPR, there are three situations that mandate
the appointment of a DPO:
 A public authority is processing personal data
 A controller or processor conduct regular and systematic data processing on a large scale
 A controller or processor conducts large-scale processing of sensitive data
A large-scale processing of personal data means that your organization considers the number of
data subjects, the volume of data, duration of processing, and the geographical extent of processing.
It’s also worth noting that a DPO can be appointed internally or to an outside source. Lastly, if your
organization doesn’t appoint a DPO, make sure you document WHY you decided to not appoint one.
As you can see, there’s an abundance of questions involving data privacy now and in the years
ahead. Consider all facets and answers with these questions – leave no stone unturned. The more
transparent you are across your data privacy and security practices the better!
Download our latest guide on enterprise data protection and privacy for
best practices and tips from our global security and governance team.

What is data privacy?

Data privacy generally means the ability of a person to determine for themselves when,
how, and to what extent personal information about them is shared with or
communicated to others. This personal information can be one's name, location, contact
information, or online or real-world behavior. Just as someone may wish to exclude
people from a private conversation, many online users want to control or prevent
certain types of personal data collection.

As Internet usage has increased over the years, so has the importance of data privacy.
Websites, applications, and social media platforms often need to collect and store
personal data about users in order to provide services. However, some applications and
platforms may exceed users' expectations for data collection and usage, leaving users
with less privacy than they realized. Other apps and platforms may not place adequate
safeguards around the data they collect, which can result in a data breach that
compromises user privacy.

Why is data privacy important?

In many jurisdictions, privacy is considered a fundamental human right, and data
protection laws exist to guard that right. Data privacy is also important because in order
for individuals to be willing to engage online, they have to trust that their personal data
will be handled with care. Organizations use data protection practices to demonstrate to
their customers and users that they can be trusted with their personal data.

Personal data can be misused in a number of ways if it is not kept private or if people
don’t have the ability to control how their information is used:
  Criminals can use personal data to defraud or harass users.

 Entities may sell personal data to advertisers or other outside parties without
user consent, which can result in users receiving unwanted marketing or
advertising.

 When a person's activities are tracked and monitored, this may restrict their
ability to express themselves freely, especially under repressive governments.

For individuals, any of these outcomes can be harmful. For a business, these outcomes
can irreparably harm their reputation, as well as resulting in fines, sanctions, and other
legal consequences.

In addition to the real-world implications of privacy infringements, many people and

countries hold that privacy has intrinsic value: that privacy is a human right fundamental
to a free society, like the right to free speech.

What are the laws that govern data

privacy?
As technological advances have improved data collection and surveillance capabilities,
governments around the world have started passing laws regulating what kind of data
can be collected about users, how that data can be used, and how data should be
stored and protected. Some of the most important regulatory privacy frameworks to
know include:

 General Data Protection Regulation (GDPR): Regulates how the personal data
of European Union (EU) data subjects, meaning individuals, can be collected,
stored, and processed, and gives data subjects rights to control their personal
data (including a right to be forgotten).

 National data protection laws: Many countries, such as Canada, Japan,

Australia, Singapore, and others, have comprehensive data protection laws in
 some form. Some, like Brazil's General Law for the Protection of Personal Data
and the UK's Data Protection Act, are quite similar to the GDPR.

 California Consumer Privacy Act (CCPA): Requires that consumers be made

aware of what personal data is collected and gives consumers control over
their personal data, including a right to tell organizations not to sell their
personal data.

There are also industry-specific privacy guidelines in some countries: for instance, in the
United States, the Health Insurance Portability and Accountability Act (HIPAA) governs
how personal healthcare data should be handled.

However, many privacy advocates argue that individuals still do not have sufficient
control over what happens to their personal data. Governments around the world may
pass additional data privacy laws in the future.

What are Fair Information Practices?

Many of the existing data protection laws are based on foundational privacy principles
and practices, such as those laid out in the Fair Information Practices. The Fair
Information Practices are a set of guidelines for data collection and usage. These
guidelines were first proposed by an advisory committee to the U.S. Department of
Health, Education, and Welfare in 1973. They were later adopted by the international
Organization for Economic Cooperation and Development (OECD) in its Guidelines on
the Protection of Privacy and Transborder Flows of Personal Data.

The Fair Information Practices are:

 Collection limitation: There should be limits to how much personal data can
be collected

 Data quality: Personal data, when collected, should be accurate and related to
the purpose it is being used for
  Purpose specification: The use for personal data should be specified

 Use limitation: Data should not be used for purposes other than what was
specified

 Security safeguards: Data should be kept secure

 Openness: Personal data collection and usage should not be kept secret from
individuals

 Individual participation: Individuals have a number of rights, including the

right to know who has their personal data, to have their data communicated
to them, to know why a request for their data is denied, and to have their
personal data corrected or erased

 Accountability: Anyone who collects data should be held accountable for

implementing these principles

What are some of the challenges users

face when protecting their online
privacy?
Online tracking: User behavior is regularly tracked online. Cookies often record a user's
activities, and while most countries require websites to alert users of cookie usage, users
may not be aware of to what degree cookies are recording their activities.

Losing control of data: With so many online services in common use, individuals may
not be aware of how their data is being shared beyond the websites with which they
interact online, and they may not have a say over what happens to their data.
Lack of transparency: To use web applications, users often have to provide personal
data like their name, email, phone number, or location; meanwhile, the privacy policies
associated with those applications may be dense and difficult to understand.

Social media: It is easier than ever to find someone online using social media platforms,
and social media posts may reveal more personal information than users realize. In
addition, social media platforms often collect more data than users are aware of.

Cyber crime: Many attackers try to steal user data in order to commit fraud,
compromise secure systems, or sell it on underground markets to parties who will use
the data for malicious purposes. Some attackers use phishing attacks to try to trick users
into revealing personal information; others attempt to compromise companies' internal
systems that contain personal data.

What are some of the challenge’s

businesses face when protecting user
privacy?
Communication: Organizations sometimes struggle to communicate clearly to their
users what personal data they are collecting and how they use it.

Cyber crime: Attackers target both individual users and organizations that collect and
store data about those users. In addition, as more aspects of a business become
Internet-connected, the attack surface increases.

Data breaches: A data breach can lead to a massive violation of user privacy if personal
details are leaked, and attackers continue to refine the techniques they use to cause
these breaches.

Insider threats: Internal employees or contractors might inappropriately access data if it

is not adequately protected.
What are some of the most important
technologies for data privacy?
 Encryption is a way to conceal information by scrambling it so that it appears
to be random data. Only parties with the encryption key can unscramble the
information.

 Access control ensures that only authorized parties access systems and data.
Access control can be combined with data loss prevention (DLP) to stop
sensitive data from leaving the network.

 Two-factor authentication is one of the most important technologies for

regular users, as it makes it far harder for attackers to gain unauthorized
access to personal accounts.

These are just some of the technologies available today that can protect user privacy
and keep data more secure. However, technology alone is not sufficient to protect data
privacy.

What steps does Cloudflare take to

protect privacy?
Cloudflare believes data privacy is core to the mission of helping build a better Internet.
Cloudflare products are built with privacy in mind, and Cloudflare has released a number
of services designed to protect online user privacy:

 1.1.1.1 is a free DNS resolver that does not track or store DNS queries (unlike
many other DNS resolvers, which may sell this information to advertisers)

 Cloudflare supports DNS over HTTPS, which completely encrypts DNS queries

  Cloudflare offers free SSL for any website that uses Cloudflare

 Project Galileo protects the privacy of important vulnerable organizations free

of charge

 Cloudflare Web Analytics enables businesses to analyze traffic to their

websites without compromising their users' privacy

Cloudflare also publishes a semi-annual transparency report on the requests we have

received to disclose information about our customers. The report includes a set
of warrant canaries. Additionally, the Cloudflare privacy policy can be reviewed here.

To learn more about Cloudflare's efforts to protect user privacy, see this blog post.