27 September 2023  —  Acronis

Personal Data Protection Best Practices

Acronis
Acronis Cyber Protect Home Office
formerly Acronis True Image

What is personal data protection?

Personal data protection refers to the process of securing essential, sensitive data from compromise, corruption or loss.

Traditional data protection rules focus on ensuring that data can be restored following a data-loss event. However, the case with personal data privacy and protection differs. Why is that? Well, if an identifiable, natural person experiences a personal data breach, whoever accesses the compromised data can use it to extort or impersonate them. Here, data recovery won't do much; instead, the user should alert public authorities and ensure to terminate all compromised payment means.

Data protection and privacy aims to outline the sensitive data in a user's data collection and apply top-tier data security so no unauthorized actor or third-party software can access the information.

All the user and location data on different devices — PCs, laptops, smartphones, tablets, etc. — can be used to identify individuals by threat actors. For example, IP addresses are an online identifier because they carry your devices' virtual (and if inspected in-depth — physical) location data. Users must implement appropriate safeguards to protect online identifiers and contextual information.

What is personally identifiable information?

Personally identifiable information (PII), or just "personal information," can be any information identifying a particular individual directly or by combining it with other identifiers. Securing PII is a primary concern for data privacy strategies.

Your name, birthday and address are primary examples of PII. You use them to create accounts on the web, fill out forms, or shop online. A national identification number (passport) or driver's license number are used less frequently, but are straightforward ways of identifying individuals. Then comes ethnic or racial origins, religion, medical, financial, or criminal history. Along with your IP address (if traceable), those are enough to form a social identity profile.

Biometric data — DNA, voice recordings, and fingerprints — can also be used for their holder's identification by third parties.

Video surveillance footage often contains images of different people. If the footage can be used to determine an individual's identity, then the footage is also considered "personal information."

The U.K. GDPR also outlines an "online identifier" class. For example, cookie identifiers can contain personal data in certain circumstances. When you log in to a specific site, the user authentication cookie involves the processing of personal data to enable logging into your account.

Data privacy specifics

Data privacy encompasses personal data collected in different forms. The information doesn't need to be written; it can also point to how data subjects look or sound like — photos, audio and video recordings. In such cases, general data protection regulation and privacy law apply only when the information is processed via "automated means" (electronically) or manually as part of another filing system.

Personal data can point to a directly identifiable natural person, e.g., "Mike's favorite food is lasagna," or be used to indirectly identify the data subject: "Mike's brother adores that specific brand of pizza." (In the latter example, you don't directly know Mike's brother's identity but can indirectly identify him via context and more information).

Even if natural persons use pseudonyms or apply anonymity to their personal data, information processing can be reversed if the natural persons or data subjects can be identified via additional information. In such cases, said data can still be considered "personal." But if the data is irreversibly anonymized and can't be used to identify a natural person in a transparent manner, it is not considered "personal data."

Why are privacy and data protection important?

Nowadays, most of us are submerged in online activities. We use the internet to work, browse social media, purchase goods in online stores, discuss our everyday problems on forums, and more.

It has become a habit to insert your name and age when you create an online account or type in your credit card info when buying takeout. While many services rely on encryption and added security, the information we share online, intentionally and unintentionally, can fall into the hands of unauthorized third parties. If that happens, security breaches can compromise your online accounts and real-life engagements. Moreover, cyber actors can sell the data collected to the highest bidder.

To avoid identity or financial theft, users should be aware of the risks of sharing PII and only share such information with trusted recipients, following the best data privacy practices.

What is "processing" personal data?

Data privacy law governs which scenarios can be deemed "processing personal information."

Processing data essentially relates to using personal data protection in any form — collecting, storing, consulting, retrieving, disclosing or sharing data with another subject, and destroying or erasing it. However, data protection law doesn't apply when data processing is done entirely for personal or household activities.

Privacy and data protection legislation

Data protection and privacy laws (such as GDPR) aim to ensure personal data protection and privacy, data portability and personal data security across a specific communications technology system comprising organizations and businesses on one side and individuals and users on the other. Data privacy guidelines also ensure the same rules apply to all concerned parties.

General Data Protection Regulation (GDPR)

GDPR is the European Union's (E.U.) data privacy legislation that outlines how companies and organizations must process personal data sensibly and securely. GDPR is governed by the European Data Protection Board (EDPB) — an independent E.U. body that ensures consistent data privacy and protection rules are applied across the EU. The EDPB comprises representatives of data protection authorities of the E.U. and European Environment Agency (EEA) countries and the European Data Protection Supervisor (EDPS). The European Commission participates in board meetings and activities without voting rights.

The GDPR aims to protect individuals across all European Union member states from data privacy risks via strict privacy policies concerning both businesses and citizens.

  • Processing personal information must have a defined purpose.
  • Storing personal data in a system only as long as it's necessary.
  • Data processing must be conducted in a safe and secure system.
  • The use of personal data must be legal.
  • The use of personal data must be respectful of the individual's rights.
  • Personal data breaches must be reported to the authorities and each affected identifiable individual within 72 hours.
  • Businesses are responsible for their supplier's GDPR compliance.
  • Sanctions sizes are significant.

Health Insurance Portability and Accountability Act (HIPAA)

HIPAA was enacted under President Bill Clinton in 1996, outlining how healthcare providers can process and use their patients’ personal health data. However, HIPAA regulation rules only apply to so-called "covered entities" — providers (doctors, nurses, dentists, psychologists), health plan data (healthcare insurance companies, government plans), and healthcare clearinghouses processing medical information.

HIPAA guidelines state that covered entities:

  • Must comply with an individual's right to access their health information.
  • Can't use or share health information without the explicit content of the individual.

HIPAA covers all the subject's health data shared with a covered entity. However, if an identifiable natural person shares health data with third-party software — a communications technology application (nutrition app), an information-sharing platform (social media), or another communications technology system not operated by a covered entity — then HIPAA regulations won't apply.

The seven principles of data processing

Below, we will explore the seven principles governing personal data processing according to GDPR's article 5.

Lawfulness, fairness and transparency

The first principle is a "system of principles" comprising three primary data collection concerns — lawfulness, fairness and transparency.

  • Lawfulness

Data processing is lawful if based on one of the grounds listed in GDPR's article 6. User consent is the most prominent ground for legal basis when obtaining and processing personal information. Other grounds include "legitimate interest" (legitimate purposes). You can explore all grounds in more detail here.

  • Fairness

Fairness relates to the processing of personal data carried out in the best interest of the user. It also outlines that the processing should be reasonably expected by the identifiable individual.

  • Transparency

Transparency relates to clearly communicating what, why and how organizations are processing data to individuals whose data they process. This should be done in a way that enables users whose data is processed to understand the methods and scope of the processing clearly.

Purpose limitation

Purpose limitation states that organizations and businesses should only process personal data for the originally intended (and outlined) purpose. Essentially, this principle states that organizations should not reuse collected personal data for purposes other than the one stated in their Privacy and Data Protection Policy.

Data minimization

Data minimization outlines that organizations shouldn't keep data "lying around" on their system if they don't need it for their intended purpose(s). The principle states that organizations should gather only the exact required amount of personal data to deliver a specific service (but not more).

Accuracy

Accuracy focuses on having the most accurate data possible about an individual. Organizations must take "reasonable measures" to ensure that the processed personal data is not factually incorrect and is up-to-date.

This principle is only relevant when the personal data's accuracy is of importance to the subject the data regards.

Storage limitation

Storage limitation is similar to the data minimization principle. It outlines that personal data should be deleted if an organization no longer needs it for the intended purposes.

Organizations and businesses should also implement a comprehensive process to "destroy data in a secure way" — ensuring that removed data is no longer stored on their storage system (devices, cloud), where it could raise a potential security risk.

Integrity and confidentiality

In cybersecurity, there's a term called the "CIA Triad"; it stands for "confidentiality, integrity and availability." The sixth principle concerns two of the three edges of the CIA Triad.

Integrity ensures that the data collected is correct and can't be manipulated by others (for example, every user, business or organization should opt to protect their system against cyber attackers).

Confidentiality ensures that only people with authorized access to personal data are processing it.

Accountability

Accountability outlines that data processors (or "data controllers") take responsibility for their processing actions. The principle ensures that all responsible processing parties are accountable for properly processing sensitive personal data and are compliant with GDPR guidelines.

When discussing accountability, the principle doesn't only require that organizations fulfill the various requirements of the GDPR; it also obliges data processors to document their actions and be able to present them for auditing purposes.

However complex, data privacy and protection legislation can't protect your personal data if you accidentally (or intentionally) share it with unauthorized parties or if a cyberattacker manages to breach your security system. This is why we've compiled our favorite data privacy and protection practices.

Let's go through them together to understand how to keep our personal information away from prying eyes and malicious software.

Protect yourself from phishing attempts

Phishing is the most common form of malicious attack on the internet. Phishing is usually carried out through social engineering campaigns and emails. If you download an infected file or click on a malicious link embedded in the email, attackers may gain access to your device, steal your data or install malware to hold your data for ransom.

You must take a sensible approach to data protection and privacy to counter phishing attempts.

Report any spam or scam you encounter

Many people are seasoned in identifying spam or scam emails. The default reaction after identification is to ignore the email and move on; however, it will serve you better to report the scam email.

Whether you report the scam to your company's IT department, internet service provider or cybersecurity governing body, reporting the email helps others avoid getting scammed out of their sensitive information.

Modern email solutions (e.g., Gmail, Outlook, Yahoo) offer users built-in options to report identified email scams. Moreover, most countries have already established anti-phishing boards battling online scams.

In the U.S., you can turn to the Cyber Security and Infrastructure Agency; in Canada, there's the Canadian Anti-Fraud Centre; and in the U.K., you can contact the National Fraud and Cyber Crime Reporting Centre.

If you're unsure how and who to report to, you can ask an IT specialist or local law enforcement to guide you.

Secure your online shopping

E-commerce sites are a significant part of many people's everyday lives. But however convenient they may be, online stores are a prime target for cybercriminals. Most platforms use third-party transaction vendors, so securing your online shopping to counter financial fraud attempts is crucial.

Here are some guidelines to make your online shopping safer.

Ensure every site you visit is legitimate

Checking the legitimacy of a new online store is critical. You can inspect the URL to see if it begins with "HTTPS." "HTTPS" means the site offers encrypted communication between your browser and the platform. The closed padlock symbol next to the text shows that the platform enables secure transactions.

Moreover, you can click on the site's lock icon and choose "Show certificate." This way, you can view the security certificate and check its issue and expiry dates. Lastly, you can search to find seals of approval from third-party security solutions.

Rely on multifactor authentication

Typically, e-commerce stores ask you to create an account and set up payment info before checkout. If you do so, select a strong password, set up two-factor authentication, and do not tick the box "Save my details for future payments."

Don't use public Wi-Fi networks

Using public Wi-Fi for online shopping is a fundamental no-no. It may be convenient for impulse buys, but it puts your data at significant risk. Since public Wi-Fi rarely has strong defenses, hackers can penetrate the network and quickly learn your name, address, or credit card information.

If you're in a last-resort scenario and must use public Wi-Fi to browse, install and use a VPN to protect data in transit so it can't be tracked, intercepted or stolen by attackers.

Be mindful of what you share on social media

Nowadays, no defense can genuinely protect your sensitive information if you share it on social media.

As most information-sharing platforms offer public access, users can browse your content without an account. Yes, you can set your posts and photos to "Friends Access Only," but who's to say you know all your Facebook friends? Or how many of your Instagram followers are real user accounts? Not to forget Twitter, which is a data search haven that uses hashtags and shared tweets.

Location tags, bank statements, your kids' elementary school, your email, phone number and even educated Netflix recommendations can, in a way, compromise the security of your personal information.

The general rule here is as follows: If you wish to share something other than a vacation photo with your close ones, do it in person or via the phone. If you choose to share it on social media, be aware that anyone on the platform could use some form of exploit to access it.

Acronis Cyber Protect Home Office provides the best data protection and privacy

Every data protection strategy needs a robust antivirus. Even if you are mindful of your browsing habits, a cybersecurity solution adds extra layers of defense to foil snooping third parties.

Acronis Cyber Protect Home Office (formerly Acronis True Image) blocks all malicious software attacks in real time without human supervision. You can also scan your device for existing infections, rid your system of them, and reduce the risk of future data breaches and unwanted cyberattacks.

Acronis Cyber Protect Home Office provides a unique integration of reliable backup and cutting-edge anti-malware technologies that safeguard data against all of today's threats — disk failure, accidental deletion, loss and theft, and security breaches such as cybercriminal attacks. PCMag described it as "an all-encompassing tragedy prevention solution" in their "Editor's Choice" review.

With Acronis Cyber Protect Home Office, individuals and small businesses can back up their data — including operating systems, applications, settings, files and Microsoft 365 accounts to local drives, external hard drives, NAS and the Acronis cloud. In addition, Acronis Cyber Protect Home Office stops cyberattacks — including attacks resulting from zero-day vulnerabilities — from harming both backup and device data with real-time protection, vulnerability assessment, on-demand antivirus scans, web-filtering, ransomware protection and a cryptomining blocker. In case of a disaster, data can be quickly recovered.

Get Acronis Cyber Protect Home Office today!.

About Acronis

Acronis is a Swiss company, founded in Singapore. Celebrating two decades of innovation, Acronis has more than 1,800 employees in 45 locations. The Acronis Cyber Protect Cloud solution is available in 26 languages in over 150 countries and is used by 20,000 service providers to protect over 750,000 businesses.