Learning Objectives
By the end of this section, you will be able to:
- Define data privacy and data security and their importance to the enterprise
- Identify the risks and consequences of not protecting personal data and sensitive information
- Describe how enterprise security and risk policies impact data privacy
- Identify various data privacy regulations and standards mandated to protect privacy information
The state in which data are kept from unauthorized access through the proper handling, processing, storage, and usage of data regarding consent, notice, and regulatory obligations is called data privacy. Its primary focus consists of individuals’ rights to reasonable protection of their personal information from unauthorized access, disclosure, or abuse. Additionally, data security is an element of data privacy and involves the implementation of measures to ensure data are kept safe from corruption and unauthorized access while preserving confidentiality, integrity, and availability (CIA).1
Data privacy and security are critical to any enterprise for several reasons, including trust and reputation, prevention of financial loss, mitigation of financial risks, and controlled operational risks. Trust in this sense refers to the confidence that consumers have in relation to an organization, while reputation is the collective perception or evaluation of an organization.
Several data protection and management tools have been developed to further bolster efforts to keep data safe. They involve the assessment and mitigation of privacy risks, the implementation of privacy engineering, and the design of products and services that inherently respect and protect the privacy of individuals. Any breach can significantly damage an enterprise’s reputation and consumer trust.2 To this end, several regulations, such as the European General Data Protection Regulation and the California Consumer Privacy Act, require businesses to protect personal data under threat of penalties and other legal actions.
The Importance of Enterprise Digital Data Privacy and Data Security
Data privacy and security play a critical role in our ever-expanding digital world. As businesses, governments, and other large enterprises transition to digital platforms, the amount of data created has exponentially increased. Historically, small companies and large enterprises have sought to contain their trade secrets, customer information, and intellectual property rights through training and other mitigating measures. In a nondigital landscape, access to sensitive information was often controlled through physical security, which is the protection of buildings, hardware, and assets. This included measures such as locked cabinets, secure rooms, and need-to-know restrictions, where only those with explicit permission could access certain data. Personnel were trained to handle information carefully, and physical controls were in place to ensure that unauthorized individuals couldn’t gain access. However, as technology has advanced, more data are now being stored electronically, transmitted via the internet, and accessed from the cloud. Thus data are now much more susceptible to breaches, accidental disclosures,and exploitation by bad actors. A bad actor is a person or entity who hacks or cracks into a computer or system with malicious intent. Data privacy involves ensuring the responsible use of personal information throughout the data life cycle, and it underpins the fundamental principles of ethical business practices. For example, a customer signs up for an online service, and their data are collected, stored, and used for account setup and personalized recommendations. After the service is canceled, the data are archived for compliance purposes and eventually deleted following retention policies.
It is no secret that unauthorized access to confidential data, often leading to the exposure of sensitive information, called a data breach, occurs often. However, what is staggering is the sheer number of user accounts that have been compromised as a result. For example, in April of 2024, billions of records from a background check service known as National Public Data (NPD) were exposed, affecting hundreds of millions of people. The exposed records contained sensitive items such as Social Security numbers, birth dates, and mailing addresses.3
In 2024, a data breach involving AT&T compromised approximately 100 million customer records, exposing sensitive personal information, including names, addresses, and Social Security numbers. This incident highlighted vulnerabilities in data storage and the growing challenges of securing customer information against increasingly sophisticated cyberattacks.
Another major breach in 2024 affected Change Healthcare, a service provider to UnitedHealth. A ransomware attack disrupted health-care operations nationwide, affecting claims processing and payments for weeks. It was revealed that sensitive medical data, such as diagnoses, test results, and treatments for a substantial proportion of Americans, had been stolen. The financial and operational fallout from this attack underscored the critical importance of cybersecurity in health care.
Information generation has not grown in a steady, linear fashion; rather, it has increased exponentially as companies have leveraged digital assets to maintain growth amid competition. For example, in the late 1970s, the internet was in its early stages of development. The World Wide Web became publicly available in 1991, and at that point, the internet was primarily text-based with limited multimedia content. As shown in Figure 6.2, the internet is remarkably different today from its original iteration.
The volume of data has increased exponentially due to the digital evolution, with global internet traffic growing from 100 GB per day in 1992 to 150.7 TB per second by 2022,4 driven by vast amounts of content generated and shared across various platforms. These figures highlight the explosion of data generation and consumption over the past few decades, an explosion that’s been driven by technological advancements and the digitization of various aspects of life. The challenge today lies not only in managing the volume of this data, but also in harnessing it effectively and ethically. In other words, it is a complex challenge that underscores the importance of data privacy and security.
Future Technology
The Future of Data Provenance
As entities continue to collect data from various devices, websites, and social media platforms, an important issue has arisen concerning the proper handling, integrity, and usage of that data. One concept known as data provenance has emerged as a potential solution to reduce the threats of data mishandling, contamination, and leakage. Data provenance refers to the documentation of a dataset’s life cycle, which is essential for ensuring data quality and adherence to laws, regulations, and policies governing the industry or operation, or compliance. There are three pillars that comprise data provenance:
- Source provenance: tracking the origins of data
- Transformation provenance: documenting the changes and processes the data undergo
- Usage provenance: details on how data are accessed and used
Data provenance ensures trust and transparency, aids in meeting compliance with legal requirements, and facilitates data reuse and reproducibility.
Data privacy and security are no longer mere IT issues. Rather, they form an essential aspect of an enterprise’s strategic planning. Today, businesses are expected to be stewards of the data they hold, protecting information from breaches and ensuring its appropriate use. As a result, enterprises are investing significantly in data security measures and privacy protocols to safeguard customer data (and thereby maintain trust) and to comply with increasingly stringent regulations. Security breaches can result in massive financial and reputational damage. Thus, the need for robust data privacy measures is critical.
Consider the cases of Solar Winds and MGM Resorts. Solar Winds is a company that develops software to manage and control computer networks. It was targeted in 2020 in an attack that affected thousands of organizations globally and highlighted how vulnerable even the most sophisticated, well-protected networks are.5,6 In 2023, MGM Resorts in Las Vegas, Nevada, was one victim of a ransomware attack that caused significant outages of systems such as door locks, key card readers, and other hotel amenities. The damage from the attack cost MGM over $100 million in lost revenue and was executed through BlackCat operators who used social engineering techniques to gain access to critical systems.7 These attacks underscore that data privacy is integral to maintaining consumer trust and the smooth operation of critical infrastructure, and in extreme cases could be a national security concern.
Finally, it is essential to acknowledge the international dimensions of data privacy. In an interconnected world where enterprises often operate across borders, understanding the nuances in privacy regulations and practices in different regions is key because the location of the source of the data takes precedence over the customer’s citizenship location. Whether it’s the more consumer-centric privacy model of the EU’s General Data Protection Regulation (GDPR), the sector-specific approach in the United States, or the diverse and evolving landscape of data privacy regulations in Asia and Australia, businesses need to be equipped to navigate these varying landscapes while upholding their commitment to data privacy and security.
Risks and Consequences of Unprotected Personal Data and Sensitive Information
Unprotected personal data and sensitive information pose a variety of risks, with far-reaching consequences that extend beyond the digital realm. Cyber threats such as data breaches and identity theft—which is the act of stealing someone’s information and assuming their identity—represent some of the most immediate risks of unprotected personal data. Sometimes bad actors may wait for months or years before exploiting the breached data to prevent suspicion that the data have been breached.
In 2024, IBM’s annual Cost of a Data Breach report revealed that the global average cost of a data breach has reached $4.88 million, marking a 10 percent increase from the previous year. This underscores the growing financial impact of data breaches on organizations worldwide.8 Beyond the financial loss, a data breach can also result in a severe loss of customer trust, tarnishing the organization’s reputation. This may take years to rebuild and could lead to a long-term decrease in the company’s market value.
One of the most striking examples of this is the Equifax breach in 2017, which exposed the personal information, including Social Security numbers, of nearly 147 million people. In its aftermath, the company faced hundreds of millions of dollars in legal fees and reparations, and the value of its stock fell by more than 30 percent.9 As of 2024, Equifax has had to pay over $425 million to users affected by the breach and has invested in over $1.6 billion to improve security and technology.10
Cyber Espionage
The use of online methods to obtain secret or confidential information without the permission of the holder of the information, typically for strategic, military, or political advantage, is considered cyber espionage. The risk of cyber espionage continues to escalate, with unprotected personal data often being the target. A notable example from 2022 is the Uber data breach, where an attacker compromised the company’s internal systems. This incident exposed a vast amount of sensitive data and disrupted Uber’s operations. The breach not only raised concerns about the protection of user and employee data, but also highlighted vulnerabilities in corporate cybersecurity practices. Additionally, the persistent threat of ransomware attacks remains a major concern. These attacks, which involve hijacking an organization’s data for ransom, have seen a significant rise in sophistication and frequency, further emphasizing the need for robust data security measures.
Reputational Harm
Unprotected personal data and sensitive information pose a significant risk to both businesses and individuals. Data can be exploited for fraudulent activities, identity theft, and other malicious acts. But the repercussions of inadequate data protection extend beyond immediate financial harm and can significantly damage an organization’s reputation and erode customer trust. Trust is a critical element of customer loyalty and a significant factor in a business’s success. When customers provide businesses with their personal data, they are entrusting those businesses to keep their information safe. A data breach can lead to a breach of that trust, which can be challenging to restore.
According to IBM’s report, the largest contributor to the costs associated with data was “lost business,” which includes customer attrition, reputation damage, increased customer acquisition costs, and lost revenue opportunities.11 One high-profile example of this is the 2013 Target data breach, which resulted in the theft of the credit and debit card information of 40 million customers. This breach cost Target approximately $291 million and caused significant damage to its reputation. Their sales decreased dramatically in the last quarter of 2013, and fewer households reported shopping at Target.12
The rise of privacy-conscious consumers, those who are aware of and concerned about how their personal data are collected and distributed, means that businesses need to be even more diligent in their data protection efforts. A 2020 Cisco report found that 84 percent of consumers care about data privacy, and 80 percent are willing to act to protect it—meaning they would switch away from companies that have poor data practices or policies.13 Organizations must continue to invest significantly in data security measures and privacy protocols to safeguard their customer’s data, maintain trust, and comply with increasingly stringent regulations.
How Enterprise Security and Risk Policies Impact Data Privacy
Enterprise security and risk policies are fundamental in shaping an organization’s approach to data privacy. To ensure the effectiveness of these policies, organizations often turn to established frameworks such as those recommended by the Information Systems Audit and Control Association (ISACA), where white papers and research articles offer valuable insights into best practices. The MIS Quarterly Executive (MISQE), Journal of Management Information Systems (JMIS), Communications of the ACM (CACM), Journal of the Association for Information Systems (JAIS), and Communications of the AIS (CAIS) serve as reputable sources of the latest advancements in the science of privacy. While Privacy by Design and privacy engineering are closely related, they focus on different, albeit complementary, goals. Privacy by Design aims to integrate privacy considerations into the design and operation of IT systems, business practices, and networked infrastructure right from the outset.
Privacy by Design and Privacy Engineering
To make these principles actionable, standards such as the ISO/IEC 27701 for privacy information management, and frameworks such as Privacy by Design (PbD) by Ann Cavoukian14 are invaluable. Cavoukian characterized this Privacy by Design approach as proactive more so than reactive; it anticipates privacy invasion events before they occur. These tools allow businesses to convert abstract, principles-based legal mandates into implementable technical privacy controls compatible with existing security measures. The Privacy by Design model employs seven principles, such as being proactive and embedding privacy, into the design (Figure 6.3). By adhering to such standards, organizations can mitigate risks and foster trust, which is particularly vital in an age where data breaches and cyberattacks are increasingly sophisticated and damaging.
Considering all these threats, several national and international organizations, corporations, and governments have taken measures to promote data protection and integrity. Through features such as app tracking transparency and clear privacy labels on the App Store, Apple provides users with greater visibility and control over how their data are used, although the overall architecture of their system remains relatively closed compared with more open platforms.
Data scientists suggest that data are providing an endless stream of new digital capital. However, organizations that fail to take data privacy and security seriously may lose their competitive edge as well as customer trust, and/or face regulatory action. Tackling the massive scale and complexity of data management requires the implementation of robust, risk-based frameworks.
An emerging field in this context is privacy engineering, which is fundamentally about incorporating privacy principles directly into the design and development of IT systems, networks, and business practices. By making privacy an integral part of the design and development process rather than an afterthought, enterprises can effectively mitigate risks and better protect user data. Some examples of privacy engineering include:
- Google’s Differential Privacy: This practice allows Google to leverage the ability to learn from aggregate data while ensuring that returned search results and map addresses do not permit anyone to learn about a particular individual. Google has used this with Google Maps to help show the busy times at restaurants and other locations without divulging the location history data of users.
- Apple’s Privacy Labels: Apple has developed Privacy Labels for its App Store. These labels provide simple, straightforward summaries of an app’s privacy practices, and they are written in plain language, letting consumers know what data an app collects and whether the data are linked to them or used to track them.
- Microsoft’s Data Loss Prevention (DLP): Microsoft developed a data loss prevention solution to prevent sensitive information from leaking out of the organization. This solution identifies sensitive information across several platforms, such as Exchange Online, SharePoint, OneDrive for Business, and Microsoft Teams. This measure ensures that data are not inadvertently shared with the wrong groups. While DLP does well with implementing controls that prevent data loss, it does not focus on physical security.
On the other hand, privacy engineering refers to the technical and operational aspects of implementing privacy principles in systems and services. Its goal is to operationalize the concepts of Privacy by Design through specific methodologies, tools, and technologies. Privacy engineering focuses on developing practical solutions and practices that protect individuals’ privacy and meet regulatory requirements. This includes creating data protection features, ensuring secure data processing, and developing privacy-preserving technologies. While Privacy by Design sets the framework and objectives for privacy, privacy engineering focuses on actual implementation of those objectives in the real world. Like Privacy by Design, privacy engineering focuses more on the technical aspects of implementing data protection controls. One example of a social media company that uses this idea is Snapchat, which limits the amount of time a message can be viewed once it is sent.
Careers in IS
Data Privacy and Security Career Options
With its ever-evolving challenges and emerging practices, the area of data privacy and security offers many exciting opportunities. Those seeking to work in this field may consider these roles, for example:
- Privacy analyst/privacy consultant: A specialist who assesses and advises organizations on complying with data protection laws and regulations. They analyze privacy policies, conduct privacy impact assessments, and recommend strategies to protect personal data.
- Chief privacy officer (CPO): A high-level executive responsible for an organization’s data privacy policies and procedures. The CPO ensures compliance with privacy laws, oversees data protection strategies, and manages privacy risks.
- Cybersecurity analyst: A professional who focuses on protecting an organization’s computer systems and networks. They monitor breaches, investigate security incidents, and implement security measures to safeguard sensitive data.
- Information security manager: A role responsible for overseeing and managing an organization’s information security program. They develop and implement policies and procedures to protect data from unauthorized access, disclosure, alteration, and destruction.
- Compliance officer: A role that involves ensuring an organization meets external regulatory requirements and internal policies, especially concerning data protection and privacy laws.
- Data protection lawyer: A legal professional specializing in data protection and privacy law. They advise clients on compliance with data protection regulations, represent in case of data breaches, and help draft privacy policies.
Third-Party Risks
A key aspect of security and risk policies is the management of third-party risks, including third-party access, which is access to data from an external entity. In an interconnected digital ecosystem, organizations often share data with partners, vendors, and other third parties. This is particularly significant given the rise of cloud computing, which is the delivery of computing services over the internet, and Software as a Service (SaaS), which is a software distribution model in which applications are hosted by a third-party provider and made available to customers over the internet, typically on a subscription basis. For instance, Amazon Web Services, Google Cloud, and Microsoft Azure handle vast amounts of data from countless businesses. These enterprises must ensure that their security policies cover these relationships and that third parties meet stringent security standards.
The measures that enterprises can adopt include regular audits and inspections, solid contractual agreements regarding data handling, and clear communication about responsibilities in the event of a security breach. Furthermore, an enterprise’s data might be shared with a third party not only for storage purposes, but also for processing. Many businesses employ third-party data analytics firms to make the most of their collected information.
Future Technology
Two Privacy Developments on the Horizon
The future of technology in information systems paints a promising picture for data privacy and protection. Here’s a brief look at two key developments:
- Federated learning: An emerging concept in machine learning, federated learning allows a model to be trained across multiple decentralized devices or servers holding local data samples, without exchanging the data samples themselves. This helps to maintain privacy as raw data never leave their original device.15
- Homomorphic encryption: A form of encryption allowing computations to be carried out on encrypted data, homomorphic encryption produces an encrypted result that, when decrypted, matches the result of operations performed on the plain data. This means sensitive data can be processed securely in encrypted form, without ever needing to be decrypted, thereby maintaining data privacy.16
These technologies demonstrate how the future of information systems may uphold robust data protection while still leveraging the benefits of data-driven insights. As these technologies mature, they will play an increasingly significant role in securing information systems and ensuring data privacy.
For stakeholders such as investors and partners, solid security policies imply the organization’s proactive stance toward risk management, which can increase their confidence in the organization’s resilience against potential data breaches. The best policies will be those that keep evolving with the changing technology landscape and regulatory environment, continuously fostering a culture of privacy and accountability in the organization. In accountability, people and entities must take responsibility for the decisions they make and be able to explain them.
Data Privacy Regulations and Standards
Data privacy regulations and standards have become increasingly important in today’s data-driven world. With vast quantities of personal data being collected and processed daily, these regulations ensure the safeguarding of personal information and provide a standardized approach for businesses to manage data privacy. Across the globe, nations are developing regulations to address this ever-evolving need. For example, the Personal Data Protection Act (PDPA) in Singapore strives to protect personal data across the economy by serving as a complement to sector-specific legislative and regulatory frameworks.17 Meanwhile, in Brazil, the Lei Geral de Proteção de Dados (LGPD) came into effect in August 2020, aligning the country more closely with the global trend toward stricter data privacy regulations.18 The General Data Protection Regulation (GDPR) is a comprehensive data protection law in the European Union that sets guidelines for the collection and processing of personal information of individuals within the EU.19 The GDPR represents a major shift in data privacy regulations. It has introduced several significant changes, including stricter requirements for consent, which is the explicit permission given by an individual for the collection, processing, and use of their personal information. Additionally, the GDPR expanded data subject rights (such as the right to be forgotten, the right to data portability, and the right to object to processing), and steeper penalties for noncompliance, up to 4 percent of an organization’s global annual turnover or 20 million euros, whichever is higher.20
In a similar manner, the California Consumer Privacy Act (CCPA), a law that increases privacy rights and consumer protection for residents of California, has set a benchmark for data privacy in the United States21 (Table 6.1). While it only applies to businesses that meet certain criteria (such as having gross annual revenues over $25 million), the CCPA is influencing data practices beyond California. It is likely to inspire similar legislation in other states, or potentially at the federal level.22 Under the CCPA, businesses must disclose what data they collect, sell, or share, and consumers can opt out of the sale of their data, request deletion of their data, or access the data that businesses have collected about them.
CCPR | GDPR | |
---|---|---|
Implementation date | July 1, 2020 | May 25, 2018 |
People affected | For-profit companies that collect personal data on California residents | EU citizens, businesses, data subjects, and controllers |
Application | Businesses, third parties, California residents | Organizations offering goods and services in the EU |
Data scope inclusions | Any personal data sold for monetary or other value | Any type of personal data |
Fines for noncompliance | $7,500 per violation and $100–$750 per consumer incident related to breaches | Up to 20 million euros for major violations; up to 10 million euros for minor violations |
However, it’s not just regulatory compliance that organizations need to consider. Industry standards also play a crucial role in shaping how businesses protect personal data. For instance, the International Organization for Standardization (ISO) has introduced ISO/IEC 27701, an extension to ISO/IEC 27001, the international standard for information security management systems. ISO/IEC 27701 provides guidance on how to manage privacy information, essentially translating privacy principles from regulations like the GDPR into actionable controls. This involves not only technical measures, but also administrative ones, such as defining roles and responsibilities, maintaining records of processing activities, and ensuring proper data breach response procedures.23 By adopting ISO/IEC 27701, organizations can demonstrate their commitment to privacy, reassure customers and stakeholders, and potentially gain a competitive advantage.
Businesses will also need to consider other relevant regulations in their respective jurisdictions. For instance, in Canada, businesses must comply with the Personal Information Protection and Electronic Documents Act (PIPEDA), which establishes basic rules for the use, collection, and disclosure of personal information by private sector organizations during commercial activities. Similarly, in Australia, the Privacy Act 1988 mandates how personal information is to be handled.
Moving forward, as data privacy issues continue to rise in prominence, we can expect further evolution in both legislation and industry standards. Companies will need to stay vigilant and adaptive, not just to avoid penalties, but also to earn and maintain their customers’ trust and loyalty. This is particularly true in an era where data privacy is increasingly seen as a differentiator and a competitive advantage. Trust in how businesses handle personal data can significantly impact their brand reputation, customer relationships, and, ultimately, their bottom line.
The landscape of data privacy is becoming increasingly complex, and staying abreast of these regulations and standards is crucial for businesses.
Footnotes
- 1Kim B. Schaffer, Peter Mell, Hungh Trinh, and Isabel Van Wyk, “Recommendations for Federal Vulnerability Disclosure Guidelines,” NIST Special Publication 800-216, National Institute of Standards and Technology, May 24, 2023, https://doi.org/10.6028/NIST.SP.800-216
- 2Hsiangting Shatina Chen and Tun-Min Jai, “Trust Fall: Data Breach Perceptions from Loyalty and Non-Loyalty Customers,” The Service Industries Journal, 41, no. 13–14 (2021): 947–963
- 3Daniel Hooven, “2.9 Billion Reasons To Be Concerned—The Latest on the National Public Data Breach,” Schnieder Downs, August 21, 2024, https://schneiderdowns.com/our-thoughts-on/npd-breach/
- 4World Bank, World Development Report 2021: Data for Better Lives (World Bank, 2022), https://doi.org/10.1596/978-1-4648-1600-0
- 5Cybersecurity and Infrastructure Security Agency, “Remediating Networks Affected by the SolarWinds and Active Directory/M365 Compromise,” U.S. Department of Homeland Security, May 14, 2021, https://www.cisa.gov/news-events/news/remediating-networks-affected-solarwinds-and-active-directorym365-compromise
- 6Cybersecurity and Infrastructure Security Agency, “Advanced Persistent Threat Compromise of Government Agencies, Critical Infrastructure, and Private Sector Organizations,” U.S. Department of Homeland Security, April 15, 2021, https://www.cisa.gov/news-events/cybersecurity-advisories/aa20-352a
- 7Arielle Waldman, “MGM Faces $100M Loss from Ransomware Attack,” TechTarget, October 6, 2023, https://www.techtarget.com/searchsecurity/news/366554695/MGM-faces-100M-loss-from-ransomware-attack
- 8IBM, Cost of a Data Breach Report: 2024 (IBM, 2024), https://table.media/wp-content/uploads/2024/07/30132828/Cost-of-a-Data-Breach-Report-2024.pdf
- 9“Equifax to Pay $700m over Breach That Exposed Data of 150m People,” The Guardian, July 22, 2019, https://www.theguardian.com/us-news/2019/jul/22/equifax-data-breach-security-ftc-settlement
- 10John Egan, “Five Years after the Equifax Data Breach, How Safe Is Your Data?,” Bankrate, September 12, 2022, https://www.bankrate.com/credit-cards/news/how-safe-is-your-data/
- 11IBM, Cost of a Data Breach Report: 2024 (IBM, 2024), https://table.media/wp-content/uploads/2024/07/30132828/Cost-of-a-Data-Breach-Report-2024.pdf
- 12Kelli Young, “Cyber Case Study: Target Data Breach,” Coverlink Insurance, September 12, 2021, https://coverlink.com/cyber-liability-insurance/target-data-breach/
- 13Cisco, Protecting Data Privacy to Maintain Digital Trust (Cisco, 2020), https://www.cisco.com/c/dam/en_us/about/doing_business/trust-center/docs/cybersecurity-series-2020-cps.pdf
- 14Ann Cavoukian, Privacy by Design: The 7 Foundational Principles, 2008, https:/privacy.ucsc.edu/resources/privacy-by-design---foundational-principles.pdf
- 15Brendan McMahan and Daniel Ramage, “Federated Learning: Collaborative Machine Learning without Centralized Training Data,” Google Research, April 6, 2017, https://research.google/blog/federated-learning-collaborative-machine-learning-without-centralized-training-data/
- 16Kirsty Paine, “Homomorphic Encryption: How It Works,” Splunk, February 5, 2024, https://www.splunk.com/en_us/blog/learn/homomorphic-encryption.html
- 17“PDPA Overview,” Personal Data Protection Commission Singapore, accessed December 22, 2024, https://www.pdpc.gov.sg/overview-of-pdpa/the-legislation/personal-data-protection-act
- 18Lei Geral, Lei Geral de Proteção de Dados (LGPD), Obtenido de Lei Geral de Proteção de Dados (LGPD), 2020, http://www.planalto.gov.br/ccivil_03/_ato2015-2018/2018/lei/L13709.htm
- 19European Parliament and Council, “Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data (General Data Protection Regulation),” Official Journal of the European Union, L119 (2016): 1–88, https://eur-lex.europa.eu
- 20“GDPR Fines/Penalties,” Intersoft Consulting, accessed December 22, 2024, https://gdpr-info.eu/issues/fines-penalties/
- 21California Consumer Privacy Act of 2018 (Cal. Civ. Code § 1798.100 - 1798.199), Enacted as AB-375, California Legislative Information, 2018, https://leginfo.legislature.ca.gov
- 22“AB-375 Privacy: Personal Information: Businesses,” California Legislative Information, June 29, 2018, https://leginfo.legislature.ca.gov/faces/billTextClient.xhtml?bill_id=201720180AB375
- 23International Organization for Standardization, ISO/IEC 27701:2019 (ISO, 2019).