1. concepts of data security and privacy protection

Data security and privacy protection are two closely related but distinct concepts. Data security refers to the process and measures to protect data from unauthorized access, use, modification, disclosure, destruction or loss. The goal of data security is to ensure the confidentiality, integrity and availability of data. Privacy protection refers to the process and measures to protect personal information from illegal collection, processing, transmission, sharing or disclosure. The goal of privacy protection is to ensure the autonomy, security and dignity of personal information.

The relationship between data security and privacy protection can be expressed by the following formula:

Data Security = Data Privacy Protection + Data non-privacy protection

Data privacy protection is a subset of data security that focuses on protecting data related to an individual's identity or behavior, such as name, address, phone number, email, social media, location, health, finance, and more. Data non-privacy protection is another subset of data security, which focuses on protecting data that does not involve personal identity or behavior, such as corporate secrets, business policies, scientific research results, national security, and other information.

In their business activities, market research companies process large amounts of data, both personal and non-personal. Therefore, market research companies need to pay attention to data security and privacy protection at the same time, abide by relevant laws and regulations, take effective technical and management measures to prevent data leakage, tampering, loss and other risks, and ensure the security and legitimacy of data.

Laws and standards 2. data security and privacy protection

Data security and privacy protection is a global issue. Countries and regions have formulated corresponding laws and standards to regulate data collection, storage, processing, transmission, sharing and destruction. Market research companies need to follow different laws and standards in cross-border data flows to avoid the risk of violations. Here are some of the key data security and privacy laws and standards:

General Data Protection Regulation （GDPR) That is, the General Data Protection Act was long ago.2018Year5Month25day officially entered into force. The bill addresses data security and privacy protection issues, emphasizing that data privacy is a fundamental right of citizens, and that companies have the responsibility to deploy data privacy policies to actively ensure data security, and need to consider data privacy issues at the beginning of the design.GDPRIt applies to all data processors and controllers within the EU member states, as well as data processors and controllers providing goods or services to EU residents outside the EU.GDPRIt sets out the principles of data processing, the rights of personal data subjects, the obligations of data processors and controllers, data protection impact assessments, data protection officers, data breach notifications, cross-border data transfers, regulatory bodies and penalties.GDPRThe maximum fine is the global annual turnover involved in the violation.4%or2000million euros (whichever is higher).

California Consumer Privacy Act （CCPA), the California Consumer Privacy Act in2020Year1Month1It is the first comprehensive data privacy act in the United States.“American versionGDPR”。CCPAApplies to consumers in California and businesses outside California that meet at least one of the following conditions:2500million dollars; annually from51 million or more California consumers, households, or devices collect, buy, sell, or share personal information; or at least half of their annual income is derived from buying and selling personal information.CCPAIt stipulates the rights of consumers, including the right to know, the right to choose, the right to refuse, the right to delete, the right to equal service, and the obligations of enterprises, including the obligation to notify, the obligation to respond, and the obligation to not discriminate.CCPAThe maximum fine for each violation7500S. dollars.

Personal Data Protection Act （PDPA) I .e. the Personal Data Protection Act in2013Year1Month2Singapore's Data Privacy Act is designed to protect personal data while balancing the needs of businesses.PDPAApplies to all organizations in Singapore and those providing goods or services to Singapore residents outside Singapore.PDPAIt stipulates the principles of data protection, including the principle of consent and purpose, the principle of notification, the principle of access and correction, the principle of accuracy, the principle of protection, the principle of restriction of retention, the principle of restriction of transfer, the principle of openness, the principle of accountability, etc., as well as the rights of the subject of personal information, the obligations of the organization, the data protection committee, the investigation and punishment measures, etc.PDPAThe maximum fine is the annual turnover involved in the violation.10%or100S $10,000 (whichever is lower).

ISO/IEC 27001 is the International Organization for Standardization (ISO) and the International Electrotechnical Commission (IEC) information security management system (ISMS) standards designed to help organizations establish, implement, maintain and improve the level of information security.ISO/IEC 27001The core is risk assessment and risk treatment, requiring organizations to identify and analyze information security-related risks, develop and implement appropriate control measures, regularly monitor and review the status of information security, and continuously improve the effectiveness of the information security management system.ISO/IEC 27001It is a voluntary standard, and organizations can choose whether to apply for certification to prove that they meet the requirements of the standard.

Privacy by Design （PbD) That is, "Privacy Design", is a method of actively protecting privacy in the process of data processing, by the former Canadian Privacy Commissioner Anne·Kawakuji (Ann Cavoukian) in1990The era was proposed, and was laterGDPRadopted by the Act.PbDThe core is to consider the need for privacy protection at the design stage of data processing, rather than adding privacy protection measures at a later stage or after the event.PbDIncluding seven principles, namely, active prevention and active protection principle, default privacy principle, embedded privacy principle, comprehensiveness principle, minimization principle, visibility and transparency principle, respect for user privacy principle.PbDIt is a philosophy and approach, not a specific technology or standard, that organizations can flexibly implement according to their own circumstances and goals.PbD。

3. the risks and implications of data security and privacy protection

In the process of data processing, market research companies may face various risks of data security and privacy protection, such as data leakage, data tampering, data loss, data abuse, data infringement, etc. These risks may have serious implications for market research firms, such as legal liability, economic loss, reputational damage, competitive disadvantage, and loss of customers. Here are some specific cases:

In 2017, U.S. credit rating agenciesEquifaxsuffered a historic data breach, resulting in1.47The personal information of hundreds of millions of American consumers was stolen, including names, social security numbers, dates of birth, addresses, driver's license numbers, credit card numbers, etc. The incident triggered the US Federal Trade Commission (FTC), U.S. Department of Justice (DOJ), Securities and Exchange Commission (SEC) and other agencies, as well as lawsuits from consumers, shareholders, employees and other groups.Equifaxfinally agreed to pay at least6.5$billion in settlement payments to resolve issues relatedFTC, the U.S. Consumer Financial Protection Bureau (CFPB) and50A lawsuit by the state government. in addition,EquifaxIt has also suffered from plummeting stock prices, declining market share, and loss of customer trust.

In 2018, British political consulting firmCambridge AnalyticaExposed for useFacebookA psychological test app on the, illegally collected.8700million.FacebookThe user's personal information is used to provide voter portraits and targeted advertising for the Trump presidential campaign and the Brexit referendum. The incident sparked worldwide public outrage and government oversight,Facebookby the UK Information Commissioner's Office (ICO) Penalty50Ten thousand pounds, by the U.S. Federal Trade Commission (FTC) Penalty50Billion US dollars, by the US Securities and Exchange Commission (SEC) Penalty1US $billion, summoned by the US Congress and the European Parliament, and investigated by regulatory agencies in many countries and regions.Cambridge AnalyticaThe parent company declared bankruptcy after the outbreak of the event.SCL GroupAlso disbanded.

In 2019, the Ministry of Health of Singapore (MOH) and Singapore Health Group (SingHealth) suffered a data breach for AIDS patients, resulting in14200AIDS patients and2700The personal information of the first contact is disclosed, including name, ID number, telephone number, address,HIVTest results, medical information, etc. The man behind the incident, an American AIDS patient, used his Singaporean boyfriend, an employee of Singapore's Ministry of Health, to illegally obtain the data and upload it to the Internet. The incident triggered a strong response from the Singaporean government and society. Singapore's Minister of Health Chen Sheng apologized to the public. Singapore's Ministry of Health established a special committee to investigate the causes and consequences of the incident and propose improvement measures. In addition, the incident also brought great psychological pressure and social discrimination to the affected AIDS patients and contacts, affecting their lives and work.

4. data security and privacy protection measures and solutions

When facing the challenges of data security and privacy protection, market research companies need to take a series of countermeasures and solutions to improve the ability and level of data security and privacy protection. At the same time, they also need to cooperate with customers, regulators, industry organizations and other parties to jointly promote the healthy development of the data economy. Here are some specific recommendations:

Establish an institutional system for data compliance and privacy protection. Market research companies need to develop and implement policies, processes, norms and guidelines for data compliance and privacy protection to meet the laws, regulations and standards of different countries and regions, as well as customer requirements and expectations. Market research companies need to establish data protection committees or data protection officers to oversee and coordinate data compliance and privacy protection efforts, as well as handle data-related complaints and disputes. Market research companies need to regularly audit and evaluate the state of data compliance and privacy protection, as well as make continuous improvements and optimizations.

The use of privacy technology and other technical means. Market research companies need to use various privacy technologies (Privacy Tech) and other technical means to improve the efficiency and effectiveness of data security and privacy protection. Privacy technology refers to a class of technologies designed to protect data privacy, including data encryption, data desensitization, data anonymization, data camouflage, data segmentation, data traceability, data deletion, etc. Privacy technology can help market research companies to minimize, most necessary and most secure data in data collection, storage, processing, transmission, sharing and destruction, and at the same time, it can also ensure the availability and value of data.

Cooperate with customers, regulators, industry organizations, etc. Market research companies need to establish good communication and collaboration with customers, regulators, industry organizations and other parties to jointly meet the challenges of data security and privacy protection. Market research companies need to sign data processing agreements with customers to clarify the rights and obligations of both parties, as well as the use, scope, duration and conditions of the data. Market research companies need to be transparent and compliant with regulators, report and process data-related events in a timely manner, and actively participate in the development and improvement of data policies. Market research companies need to strengthen communication and learning with industry organizations, abide by the ethics and norms of the industry, and promote the self-discipline and development of the industry.

Conclusion

Market research companies are important players in the era of data economy. They provide valuable insights and suggestions to customers by collecting, analyzing and utilizing various data. However, with the growth of data scale and the tightening of data regulations, market research companies are also facing serious challenges in data security and privacy protection. Market research companies need to establish a system of data compliance and privacy protection, use privacy technology and other technical means to improve the ability and level of data security and privacy protection, and at the same time, they also need to cooperate with customers, regulators, industry organizations and other parties to jointly promote the healthy development of the data economy.