Unauthorized Data Access, Use or Transfer are the primary threats to an organization’s privacy compliance
Unauthorized data access, use or transfer all refer to misuse of personal and sensitive data. Unauthorized data access occurs when a user accesses personal data that is not allowed by policy and not pertinent to their organizational responsibilities. Unauthorized data use is similar, in that a user in the organization has exceeded his permissions in using data, but can also refer to the organization using personal data without the proper consent of the data subject. Unauthorized data transfer refers to information transferred to organizations that are not allowed by privacy regulations or covered by a privacy shield or another appropriate binding agreement. In the case of CCPA, it could also refer to a customer’s information sale where the customer has exercised their do-not-sell right.
What are some examples of unauthorized data access, use or transfer?
- DevOps using customer data from various regions to develop and test software.
- Users from one region accessing personal data with no business purpose.
- Transfers of information to business partners that are not covered by the privacy regulations, privacy shield, or some other binding agreement on the use of personal data.
- An organization using customer data for marketing purposes without the consent of the customer.