9 Data Privacy Issues to Avoid: Examples and Solutions

By: Etienne Cussol CIPP/E, CIPM Etienne Cussol CIPP/E, CIPM | Updated on: December 9, 2024

The-Top-9-Data-Privacy-Issues-Examples-and-Solutions-01

Businesses that collect and process personal information from users must take caution to avoid a few common data privacy issues.

These issues occur in all industries and represent operational challenges that can affect your legal, security, and marketing departments.

Below, I teach you how to identify these data privacy concerns and present you with solutions you can integrate into your business’s data governance strategy to help you avoid them, and we speak with two privacy experts to hear what they have to say on the subject.

Table of Contents
  1. Most Common Data Privacy Issues & Concerns
  2. What Is Data Privacy?
  3. Tips To Avoid Data Privacy Issues
  4. How Can Termly Help You Avoid Data Privacy Issues?
  5. Summary

9 Most Common Data Privacy Issues & Concerns

Here are the nine most common issues businesses often face regarding data privacy, and my tips for preventing, avoiding, and resolving them.

1. Not Keeping Track Of Data Protection Laws

The first step to becoming a data privacy literate company is knowing what laws you fall under.

Understanding which laws you must follow can take time and effort, but it’s worth it.

Many businesses don’t have the means to keep track of data privacy legislation (which changes often, especially these days).

Some of the factors that influence your legal scope include specific details like:

  • The location of your business
  • Your users’ location
  • Your sector of activity
  • How much revenue you make annually
  • How much data you collect, process, and use

Data protection laws can apply to your business even if you’re not physically located in the country or state that passed the law.

Generally speaking, data protection laws provide a material and territorial scope that defines which organizations must be compliant.

The material scope usually includes:

  • The type of organizations that should follow the regulation, i.e., a private company or a public body
  • A threshold for compliance, i.e., companies meeting a certain annual revenue level or companies processing the personal data of a certain number of individuals
  • The nature of the processing, i.e., processing personal data in general or processing a specific type of personal data

The territorial scope defines where the regulation is enforceable. It usually applies to a business processing personal data in the country of origin of the regulation.

But it also applies outside the country if the business processes the personal data of individuals based in that country.

How can you prevent this issue?

You have several options to avoid misunderstanding what privacy laws apply to your business:

  • Consult a lawyer: The easiest way to know you’re meeting all legal obligations is to consult a lawyer, like a data privacy attorney, who can help keep track of the laws for you. While this may be a costly option, it’s not as expensive as getting fined for accidentally violating a law.
  • Develop an in-house data privacy team: Whether you need to hire privacy-literate consultants or train the employees you already have, it’s important to have a privacy team dedicated to ensuring you’re adequately following all applicable laws. Remember, the process is ongoing, so plan to adapt as the laws and regulations do.
  • Do your own research: If you only collect small amounts of basic personal information, you may be able to do your own research to determine which laws affect your business. However, these laws still hold you financially accountable if you miss anything. Make sure you weigh the risks.

2. Not Budgeting for Proper Privacy Compliance

One of the most significant data privacy issues impacting businesses is needing to budget more to address the required technological, security, and employee training needs.

When I spoke with Data Privacy Professional Anokhy Desai about common data privacy issues businesses face, budgeting was top of mind.

“It’s always good to keep your internal training up to date and make sure you’re making a plan to be compliant with various laws applicable to your company by their enforcement date, but folks know that,” said Desai.

“A real issue they’re facing that’s hard to address is budget.” — Anokhy Desai, CIPP/US, CIPT, CIPM

Desai adds, “Often, IT, cybersecurity, privacy, and sometimes compliance teams end up sharing a budget because of unawareness at the leadership level of the difference between the groups’ purposes and the priority levels each group’s work carries.”

“Because of this, some organizations that didn’t allocate enough of a budget towards the privacy team early on will stress about meeting privacy law enforcement deadlines as the clock ticks down and end up not meeting that deadline, which, for all the new state privacy laws that have been passed this year, puts the organization at risk of monetary fines by several state attorneys general.”

“But the easy solution to this (allocating enough time and money to the privacy team separately) is hard to preach when it’s hard to know from the outside what the organization is going through on the inside.”

It’s in the best interest of all business owners who process data to consider their privacy and security budget now.

Failing to allocate enough resources could cost you much more later, especially if you fall victim to cybercrime or are in contention with a data privacy law.

How can you prevent this issue?

Businesses come in all shapes and sizes, so budgeting for data privacy and security is not a one-size-fits-all approach.

Avoid combining your cybersecurity budget with other essential needs, like data privacy and general IT, if possible.

Take all facets of compliance seriously, and leave room for things like training your employees, hiring data privacy experts, and reinforcing your cybersecurity team.

Some businesses might even consider investing in cybersecurity insurance.

Additionally, using a managed privacy compliance solution, like signing up for Termly’s Pro+ plan, can help simplify many legal compliance needs without costing as much as a lawyer.

3. Not Having Visibility Over Personal Data Collection, Use, and Sharing

Even if you have a proper budget and know all the laws you must follow, you must ensure you adequately disclose to your users what data you’re collecting, using, and sharing.

However, a few issues can arise regarding the visibility of your data activities.

For one, it’s an operational challenge.

As businesses collect more and more personal data from an increasing number of sources, it becomes difficult to understand each of your departments’ data processing practices.

Additionally, most laws give consumers the right to control some of the data you’ve collected about them. You must provide them with methods to follow through on their privacy rights easily.

So, it’s also a technical challenge.

You must safely and securely allow users to act on their rights by submitting verifiable requests, which your business needs to respond to and follow through on whenever feasible.

How can you prevent this issue?

To prevent data visibility issues from occurring, your business should perform something called data mapping.

Data mapping is the practice of creating a record of personal data you hold and why.

It’s essential for complying with most data governance programs and is a requirement under certain data protection laws like the General Data Protection Regulation (GDPR).

You usually need to record all of the following:

  • The types of personal data you collect
  • The sources of the data (i.e., collected directly or indirectly, from whom)
  • Your purposes for collecting the data
  • Any third parties to which you disclose the data to

Implementing data mapping strategies helps your business fulfill customer requests related to their privacy rights by ensuring you can locate their personal data and have appropriate processes to act on it.

Plenty of resources online help teach you how to carry out effective data mapping techniques, a task that quickly becomes quite complex.

For example:

4. Not Having Collaborative Relationships Between Businesses and Privacy Professionals

Building a working relationship with any privacy professionals your business employs or partners is essential. Otherwise, it might feel like the privacy professional isn’t on the same team as the rest of your business.

But in reality, they’re your ally and could help lead to stronger customer relationships.

This is what Data Privacy Professional Tainá Baylão Senior Specialist Data Protection at Infineon Technologies, immediately mentioned when asked about the most common data privacy issues businesses typically confront.

One of the most common challenges a business faces when it comes to protecting personal data is building a collaborative relationship between the privacy team and the process owners. —  Tainá Baylão, LL.M, CIPP/E, CIPM, CDPO/BR, ECPC-B

According to Baylão, “Privacy professionals play a key role towards achieving privacy compliance by verifying if privacy controls are in place. However, these professionals cannot possibly know every detail of every project in the company.”

“In order to properly do their jobs, they must get notified by the process owners on new or updated projects. This initiative has to come from the business side.”

She highlights the crux of the problem here, “However, if that professional takes the approach of saying “no” to everything, they will become business blockers. In that context, no colleague will want to contact them since this would cause their project to be significantly delayed or even shut down completely.”

As a fellow privacy professional, I wholeheartedly agree. Business owners and privacy professionals are on the same side.

We all want the internet to be a safe place for consumers and businesses to thrive.

How can you prevent this issue?

To prevent a rocky relationship between the business and the privacy professional, business owners should build data privacy literacy into every aspect of their process.

Baylão suggests taking the following approach, “The privacy professional must build a collaborative relationship with their counterparts and always strive to provide the process owners with alternative solutions or even work together with them as sparring partners to build a better and more privacy-friendly strategy.”

“By using this business enabler approach, it is certain that the business will become more privacy-aware and will see privacy as a valuable asset, not an additional obstacle to surpass or an additional box to check.”

When you determine future goals or develop means for using personal information, do so in a way that takes data privacy seriously.

Instead of collecting massive amounts of unnecessary information, consider the most important details required to achieve your goals efficiently.

As an added benefit, this will help streamline your protocols and data processing activities.

Data privacy is not meant to prevent businesses from using personal information.

It’s supposed to help enhance your data use while protecting your customers.

Communicate effectively with the privacy professionals on your team so everyone is on the same page.

5. Not Properly Controlling Access To Personal Data

Another major issue when implementing data privacy protocols involves controlling who has access to the data.

If your business fails to implement proper controls, your customers’ and employees’ data is at risk of unauthorized access, like through a personal data breach, which leads to financial and reputational loss.

Today, people often use connected devices, like laptops and smartphones, or integrate external software with a company’s systems.

Plus, more and more households rely on devices connected to the Internet of Things (IoT), like smart refrigerators, Alexa, and Google Home devices.

Such tech makes it more challenging to set up efficient access controls that guarantee privacy.

How can you prevent this issue?

To increase your controls over the access of the personal data your business collects, determine who internally is allowed to access the data and identify the tools you use to store it.

Remember also to consider any physical storage locations, like filing cabinets.

Set up access controls that involve authentication and authorization of the users, regardless of whether they’re your employees or external third parties.

Be sure to grant the appropriate level of access based on the context of each role, location, device, and so on.

6. Not Properly Handling the Growing Availability of Data

The total amount of data created, captured, copied, and consumed globally reached 64.2 zettabytes in 2020, according to a study by Statista.

As cloud storage becomes cheaper and computing power increases, businesses can rely more on data

At first glance, you might assume the growing availability of data is only a good thing, but managing vast amounts of personal information can cause serious privacy issues.

For example, most data privacy laws stipulate that entities can’t collect personal data for its own sake. They must have a purpose and lawful basis for collecting and using the information.

Those hoarding data take on the risk of facing severe sanctions for their non-compliance.

Additionally, larger pools of data mean increased security risks. 

Businesses managing an ocean of data might struggle to protect it from unlawful access because there’s more at the surface for cybercriminals to attack.

How can you prevent this issue?

Businesses must rely on strong security practices, employee awareness, and preparedness to face the challenge of increasing access to data.

This means only collecting data necessary for your overall purposes and not data-hoarding.

But you should also take the time to train your entire team so everyone is on the same page about what your data processing activities are and what is (and isn’t) allowed.

It’s recommended everyone at your company receives training, both for cybersecurity and data privacy risks.

Training your employees on best privacy and security practices can go a long way in building a data culture that might prevent incidents.

7. Not Keeping Up With the Proliferation of Connected Devices

With remote work becoming the norm in recent years, securing data over an increasing number of devices has become more challenging.

Not only do companies need to take into consideration the number of work-issued devices (laptops, smartphones, tablets), but now they also need to include their employees’ own devices in their plans.

The IoT also plays an essential part in the increasing number of devices that can access, send, and receive data. As the IoT grows, the amount of data these devices generate increases the risk of data privacy issues.

The data collected from IoT devices generally comes from sensors, including microphones, cameras, or thermometers.

Such data can sometimes be highly personal, raising the operational challenge for a company to protect that data.

How can you prevent this issue?

The only way to prevent cyber risks is to train your team and make room in your budget to prioritize cybersecurity.

Because items connected to the IoT can’t run antivirus software or generate data logs to monitor and detect abnormal behaviors, they’re prime targets for cyberattacks.

However, the security limitations of these devices unfortunately mean typical cybersecurity techniques don’t apply.

One option that may help you combat IoT security limitations includes using visibility tools to identify exposed credentials, which may help mitigate the risks of a surface attack and prevent Active Directory (AD) privilege escalations.

Implementing such security measures could help expose an attacker who attempts to use false credentials on a decoy that appears as another system.

Ensure you have a team or resource to help your business address these IoT security risks.

8. Not Keeping Up With the Rapid Evolution of Technology

In recent years, new technologies such as Artificial Intelligence, the Internet of Things (IoT), and online tracking like Pixels and fingerprinting techniques have made it increasingly complex for businesses to understand how to protect personal data.

While these technologies can provide greater insights for businesses, grasping how they function is challenging — especially for companies trying to protect personal data.

Integrations with the internal systems of a company are very common.

Providing access, sometimes without the company’s total knowledge, to third parties can turn out to be a real threat.

For example, in 2022, some U.S. tax filing websites were found to transmit taxpayers’ personal information to Facebook through the Meta Pixel, supposedly without their knowledge.

The development of proper safety protocols must match the speed of the evolution of technology. Otherwise, privacy risks will continue to increase.

How can you prevent this issue?

To keep up with the fast pace of changing technology, ensure you only use a new feature or resource after doing your due diligence.

Take the time to thoroughly research the systems you might want to integrate with and have your privacy team or a lawyer verify if everything is legally compliant based on applicable laws.

Remember to consider the risks involved by weighing the potential benefits and harms to the users’ privacy.

Factor in the types of data you collect, how much there is, and how any security measures you have in place may mitigate potential risks.

9. Human Errors and Undertrained Employees

Another common data privacy issue experienced by businesses is human errors, typically due to undertraining their employees.

The security risks increasing your business’s chances of falling victim to cybercrime are:

  1. Underprepared employees may not understand the nuances of data privacy laws, leading to inappropriate data access, use, or deletion.
  2. Someone in your organization uses weak passwords, falls for a phishing scam, or doesn’t know how to recognize insecure links in emails.

How can you prevent this issue?

Train every team member on data privacy and cybersecurity issues to prevent human errors.

From online training platforms to privacy consultants, plenty of options exist to fit any business budget and unique needs.

It’s also a best practice to create backup and recovery plans, so you have efficient systems in place to address human errors if they do occur.

What Is Data Privacy?

A simple definition of data privacy refers to collecting and processing personal data from individuals in a way that respects their rights and keeps their data secure.

It’s a balancing act.

Many businesses rely on assembling and using digital information, but that information is personal to the individual.

Businesses must implement the following data privacy techniques to meet legal obligations and build trust with consumers:

  • Follow the obligations of all data privacy laws that apply to your company.
  • Determine every piece of personal information your website or app collects from users.
  • Post a privacy policy that explains what data you collect, why, if you share or sell it to third parties, what rights users have over it, and how to act on those rights.
  • Post a cookie policy explaining all the internet cookies your site uses and what controls individuals have over them, usually by providing a consent banner.
  • Create, implement, and maintain proper physical, administrative, and technical security protocols to protect the data from unauthorized access.

If you want personal data collection to benefit your business and consumers, you must build smart data privacy procedures in every part of your company, from your budget to training staff and beyond.

Tips To Avoid Data Privacy Issues

Now that you’ve read the nine most common data privacy issues businesses face, here’s a quick summary of our top tips to help your business avoid them:

  • Know what laws apply to your business: Data protection laws hold you financially accountable even if you violate them by mistake, so it’s essential that you accurately determine all laws that apply to your business.
  • Make room in your budget: In our modern digital landscape, it’s vital to account for your data privacy and cybersecurity needs when planning your budget. Otherwise, a cyberattack or penalty for violating a law might cost you much more.
  • Remember the privacy professional is on your team: Build a collaborative relationship between your business and your privacy team so everyone works together. Open channels of communication are the key to success.
  • Only collect personal data you truly need: Hoarding large amounts of unnecessary data puts you at risk of cyberattacks and could be illegal, depending on what laws apply to you.
  • Be smart regarding quickly advancing technologies: While new technology is exciting, be mindful about how you implement it. Remember to research the pros and cons, and only use software you can trust.
  • Train every employee, including yourself: Knowledge is power. To minimize human errors, ensure everyone at your company is appropriately trained, including administrators.

How Can Termly Help You Avoid Data Privacy Issues?

Termly helps businesses overcome common data privacy issues affordably and efficiently.

Our legal team and data privacy experts vet all of our compliance solutions. Plus, we update our policy generators regularly to account for new or changing data protection laws.

We may not be able to train your whole staff, but we can offer you a compliant Privacy Policy Generator that features necessary requirements outlined by laws like the GDPR, the California Consumer Protection Act (CCPA), and more.

We also provide a Consent Management Platform (CMP) with a cookie consent banner, preference center, and Data Subject Access Request (DSAR) form.

You can configure the consent banner to meet opt-in or opt-out requirements of various regions worldwide, like California and Europe.

Summary

Businesses that prioritize data privacy now are setting themselves up for future success.

Knowing what common privacy concerns and issues to avoid can help you streamline your approach and minimize risks.

While achieving legal compliance is an essential component, it’s only part of businesses’ responsibilities regarding data privacy.

You also need to budget appropriately to prevent privacy issues, create effective internal systems, and keep up to date with new and changing best practices.

Etienne Cussol CIPP/E, CIPM
More about the author

Written by Etienne Cussol CIPP/E, CIPM

Etienne is an Information Privacy professional and compliance analyst for Termly. He has been with us since 2021, managing our own compliance with data protection laws and participating in our marketing researches. His fields of expertise - and interest - include data protection (GDPR, ePrivacy Directive, CCPA), tracking technologies (third-party cookies, fingerprinting), and new forms of privacy management (GPC and the Google Privacy Sandbox). Etienne studied International Economic Affairs at the University of Toulouse, and graduated with a Masters in 2017. More about the author

Related Articles

Explore more resources