What is data privacy?

Businesses regularly collect user data like email addresses, biometrics and credit card numbers. For organizations in this data economy, supporting data privacy means taking steps like obtaining user consent before processing data, protecting data from misuse and enabling users to actively manage their data.

Many organizations have a legal obligation to uphold data privacy rights under laws like the General Data Protection Regulation (GDPR). Even in the absence of formal data privacy legislation, companies may benefit from adopting privacy measures. The same practices and tools that protect user privacy can defend sensitive data and systems from malicious hackers.

Data privacy and data security are distinct but related disciplines. Both are core components of a company's broader data governance strategy.

Data privacy focuses on the individual rights of data subjects—that is, the users who own the data. For organizations, the practice of data privacy is a matter of implementing policies and processes that allow users to control their data in accordance with relevant data privacy regulations.

Data security focuses on protecting data from unauthorized access and misuse. For organizations, the practice of data security is largely a matter of deploying controls to prevent hackers and insider threats from tampering with data.

Data security reinforces data privacy by ensuring that only the right people can access personal data for the right reasons. Data privacy reinforces data security by defining the "right people" and "right reasons" for any set of data.

In many organizations, data privacy is overseen by an interdisciplinary team with representatives from the legal, compliance, IT and cybersecurity departments. These teams craft data management policies that govern how their organizations collect, use and protect personal data in light of users' privacy rights. They also design processes for users to exercise their rights and implement technical controls to secure data.

Organizations can use a variety of data privacy frameworks to guide their data policies, including the NIST Privacy Framework¹ and the Fair Information Practice Principles.² Moreover, the specifics of any organization's data governance strategy depend heavily on the privacy laws the company must comply with, if any.

That said, there are a few general data privacy principles that appear in most frameworks and regulations. These principles inform many organizations' data privacy policies, processes and controls.

The average organization today collects a massive amount of consumer data. Organizations have a responsibility to ensure the privacy of this data—not out of the goodness of their hearts, but as a matter of regulatory compliance, security posture and competitive advantage.

Institutions like the United Nations³ recognize privacy as a fundamental human right, and many countries have adopted privacy regulations that enshrine this right in law. Most of these regulations come with harsh penalties for non-compliance.

The European Union's General Data Protection Regulation (GDPR) is considered one of the most comprehensive data privacy laws in the world. It sets strict rules that any company—based in or outside of Europe—must follow when processing EU residents' data. Violators can be fined up to EUR 20 million or 4% of the company's global revenue.

Countries outside the EU have similar regulatory requirements, including the UK GDPR, Canada's Personal Information Protection and Electronic Documents Act (PIPEDA), and India's Digital Personal Data Protection Act.

The U.S. does not have any federal data protection laws as sweeping as the GDPR, but it does have a few pieces of more targeted legislation. The Children's Online Privacy Protection Act (COPPA) COPPA sets rules for collecting and processing the personal data of children under 13. The Health Insurance Portability and Accountability Act (HIPAA) covers how healthcare organizations and related entities handle personal health information.

Penalties under these laws can be significant. In 2022, for example, Epic Games was fined a record USD 275 million for COPPA violations.⁴

The U.S. also has state-level privacy regulations like the California Consumer Privacy Act (CCPA), which gives consumers in California more control over how and when their data is processed. While the CCPA is perhaps the most well-known state privacy law, it has inspired others, such as the Virginia Consumer Data Protection Act (VCDPA) and the Colorado Privacy Act (CPA).

Organizations today collect a lot of personally identifiable information (PII), like users' social security numbers and banking details. This data is a target for hackers, who can use it to commit identity theft, steal money or sell it on the dark web.

Additionally, companies have their own proprietary sensitive data that hackers may be after, such as intellectual property or financial data.

According to IBM's Cost of a Data Breach 2025 report, the average breach costs a company USD 4.44 million. Many factors contribute to this price tag, including lost business due to system downtime and the costs of detecting and remediating the breach.

Many of the same tools that support data privacy can also reduce the threat of breaches and strengthen overall cybersecurity posture. For example, IAM solutions that prevent unauthorized access can help stop hackers while enforcing privacy policies. Data security tools can often detect suspicious activity that may signal a cyberattack in progress, allowing the incident response team to act faster.

Similarly, employees and consumers can defend against some of the most damaging social engineering attacks by adopting data privacy best practices. Scammers often scour social media apps to find personal data they can use to craft convincing business email compromise (BEC) and spear phishing ruses. By sharing less information and locking down their accounts, users can cut scammers off from one potent source of ammunition.

Respecting users' privacy rights can sometimes grant organizations a competitive advantage.

Consumers may lose trust in businesses that do not adequately protect their personal data. For example, Facebook's reputation took a significant hit in the wake of the Cambridge Analytica scandal.⁵ Consumers are often less willing to share their valuable data with businesses that have fallen short on privacy in the past.

Conversely, businesses with a reputation for protecting data privacy may have an easier time obtaining and leveraging user data.

Furthermore, in the interconnected global economy, data often flows between organizations. A company may send the personal data it collects to a cloud database for storage or a consulting firm for processing. Adopting data privacy principles and practices can help organizations shield user data from misuse even when that data is shared with third parties. Under some regulations, such as the GDPR, organizations are legally responsible for ensuring their vendors and service providers keep data secure.

Finally, new generative artificial intelligence technologies can pose significant data privacy challenges. Any sensitive data fed to these AIs can become part of the tool's training data, and the organization may be unable to control how it is used. For example, engineers at Samsung unintentionally leaked proprietary source code by entering the code into ChatGPT to optimize it.⁶

Additionally, if organizations don't have users' permission to run their data through generative AI, this could constitute a privacy violation under certain regulations.

Formal data privacy policies and controls can help organizations adopt these AI tools and other new technologies without breaking the law, losing user trust or accidentally leaking sensitive information.