Data security beyond the organization boundaries
In this article, we will discuss data privacy and data security and how they are related. We also touch upon how OkularID protects your data beyond organizational boundaries.
Privacy (dictionary definition) is the state or condition of being free from being observed or disturbed by other people.
Data/Information privacy is the right to have some control over how your personal information is collected and used.
As more and more data is being exchanged in the digital ecosystem, it opens more vulnerabilities for the end users. It is also true that organizations are hungry for more data to provide value add services driven by AI/ML to end users, but it can become very invasive for the end users. Organizations face an incredibly complex task of ensuring that personal information is protected and used as per user consented processing.
What constitutes private information?
Any information or combination that can identify a person uniquely is classified as Personal Identifiable Information or PII. Although there is no one definition for PII, the following list could be considered PII.
Social security number.
Passport information (or an image of it).
Driver’s license number (or an image of it).
Credit card data (number, CVV, expiration date).
Date of birth.
The number and address would be considered sensitive.
Authentication credentials (username and password).
In addition to PII, protected healthcare information (PHI) and financial data are regulated by standards and must be secured. Standards define sensitive information concerning individuals, and the level of control depends on the level of the sensitive information, e.g. email vs bank account number.
Before we go further, let’s discuss two closely related concepts Data Privacy and Data Security.
Data privacy is focused on using and governance of personal data, like putting policies in place to ensure that consumers’ personal information is being collected, shared, and used appropriately. Privacy is conceptual and presumes a level of transparency with the end user.
Data Security focuses on protecting data from malicious attacks and exploiting stolen data for profit. While security is necessary to protect data, it’s not sufficient to address privacy. Data security involves procedures, tools, software, authorization, auditing, and user information monitoring. Data security is private and confidential within the organization.
Data privacy and security are not arbitrary but guided by regulatory compliance requirements. Here things become more complicated and regional.
The type of data stored and the organization’s location are determinants of applicable data privacy laws. Below are some of the applicable laws in various regions.
CCPA went into effect on January 1, 2020. California residents have the right to know how corporations collect data, allowing them to access and remove data from the corporate systems.
HIPAA is a federal law(US) that defines how organizations store, secure, share, transfer, and audit patient information. It affects mainly healthcare providers and hospitals, but even eCommerce and other businesses that store patient information must apply HIPAA regulations to security controls.
COPPA is an older law enacted in 2000 that defined how businesses collect and share children’s information. Organizations that handle data for children under twelve must protect their screen names, email addresses, chat names, photographs, audio files, and geolocation coordinates.
PCI-DSS compliance standards protect user payment information to stop fraud and identity theft. Both large and small organizations, including online stores, must follow PCI-DSS regulations to store financial data on consumers.
GDPR is one of the strictest data privacy laws governing EU resident data. Organizations that violate GDPR face potentially millions in fines and penalties. GDPR oversees data privacy, security, organization accountability, and violations penalties. Organizations that store EU consumer data must ensure that they publish how user data is stored, shared, and collected and offer an easy way for users to remove their data from the corporate system. https://gdpr.eu/checklist/ is a helpful link when you are considering storing user information.
OkularID follows privacy design principles in all offerings and services. All PII information of the user is always encrypted at rest. We always use HTTPS with TLS 1.2 or higher for transport level security. OkularID provides a solution for exchanging data containing sensitive information securely beyond organizational boundaries. Okular-share offers data security through one-to-one encryption by binding it to the end user’s digital identity (OkularID). In simple terms, once data is encrypted, it can be opened by the end user by verifying their liveness using a facial biometric, thus safeguarding all the sensitive information and protecting the organization’s reputation and liabilities.
OkularID is a unique digital identity management platform to authenticate and validate user credentials in the digital space. It is promoted by Aikaki Limited, focused on developing a user-centric digital identity wallet enabling users to share their credentials and digital assets and securely sign documents.