Data compliance sits at the intersection of multiple domains. This complexity means that working in Privacy and Data Protection delivers daily opportunities for learning and professional growth, and that no two projects are the same. However, this domain sophistication can come at a price; there are barriers—some real, some perceived—which prevent others from engaging with the topics. This emergent space is hard to define, jargon laden, difficult to explain and understand, and fast evolving.
Such barriers might keep experts in work, but they are a real threat to the maturity of our industry. Ultimately, the less transparent the use and protection of data is by companies, the worse the outcome for data protection and citizens’ information rights. That’s why, Bearer is on a mission to democratize data privacy, security and governance, to break down the complexity, champion transparency and explain key terms in plain English.
Let’s start by gaining a better understanding of two of the key domains: Data Protection and Privacy. We’ll explore the differences and overlaps, and look at practical application of these principles.
Let’s first dive into Privacy
Privacy is the fundamental right to be let alone*. It’s a deeply human and cultural construct which relates to our sense of self and what it means for nation states to have self-determining citizens. Privacy says we, as individuals, have a right to be unobserved, and to establish and manage our own boundaries.
Privacy is as old as human consciousness. Its history has tracked the story of civil society, from its conceptual roots in Greek philosophy to society's shift from communal lives to today's always-on digital reality.
Privacy and Data Protection are distinct but closely related terms which intersect at the control of, access to and usage of private information. Article 7 of the Charter of Fundamental Rights of the European Union (EU) sets out that “Everyone has the right to respect for his or her private and family life, home and communications”, whereas Article 8 provides for the ‘protection of personal data’.
Let’s now explore Data Protection’s historical context
In Europe, the origins of Data Protection legislation are rooted in addressing past injustices in Europe. In the 1930s in Germany under the Nazi regime, state control of Information Technology meant that personal data census collection was abused as part of a systematic approach relating to the atrocity of the Holocaust.
What followed was evolving legislation spanning the past half decade which has led us to the GDPR—Europe’s key data regulation focused on protecting personal data. A myriad of global legislation, many inspired by the European model and GDPR principles such as lawfulness and accountability, has followed.
Data Protection by Design and Privacy by Design - what’s the difference?
The GDPR cites and specifies Data Protection ‘by design’ and ‘by default’, but Privacy by design is not defined in the regulation. Dr Ann Cavoukian first coined privacy by design in 1995 as part of a report on Privacy Enhancing Technologies (PETs). Privacy by Design is based on seven key principles, and helps us apply a user-centered and proactive approach to designing for people’s privacy rights and requirements.
Coming back to Data Protection and Privacy as standalone terms, simply put:
- Data Protection relates to good custodianship of personal information and aligns with regulations like the GDPR and their practical application for organizations.
- Privacy correlates to people’s information rights, and is in the cross-hairs of the surveillance debate. There is a link with Privacy laws like PECR, as well as a strong association with data ethics fundamentals like transparency of processing.
Apply Privacy and Data Protection when building your data compliance program
Practically speaking, companies need to understand Data Protection regulations like the GDPR and apply its principles into a meaningful program and build capability to ensure data is protected, secure and their accountabilities upheld. This is not about a tick box approach to compliance: progressive leaders recognize the alignment to customer focus, trust and resilience in the face of exponential data risk.
In the context of building a risk-based compliance program and fostering the right organizational culture, Privacy needs to at one be interlinked and distinguished at the right point—think of it as the human face of data processing. Terms like Privacy by design and their accompanying principles help us see the data subject, the person at the end of the ‘data supply chain’ and proactively consider their rights, and potential harms if we discount profiling and surveillance concerns.
Our key tips for aligning Data Protection and Privacy into your compliance or Information Security program:
1. Don't skip over the difference between the intersecting domains. Deliver training which connects.
Why: The historical context and ethical relevance of both Data Protection and Privacy gives compliance programs purpose and meaning which can align with your culture values. The context of surveillance, for the roots of Data Protection, will help your team and your stakeholders see the wider implications and rationale for compliance and governance, and bring a human connection. Everybody needs to know why they should follow a rule or best practice.
How to apply it: When training your team, spend time on the context and purpose behind compliance, find the emotional connection with your colleagues and correlation with your company values before getting into the practicalities of policies and protocols.
2. Connect the dots and build a holistic program which is practically applied.
Why: Information Security, Privacy, and Data Protection are different but deeply connected, and progressive boards expect compliance leaders to build a connected program and collaborate on budget. Data flow diagrams and a by design approach can act as a bridge between the domains, and visuals can create common language and understanding between departments or teams.
How to apply it: Bring the by design principles to life with data lifecycle diagrams as part of your DPIAs and security risk assessments, use those data flow diagrams to engage with visuals and reduce process duplication.
*In the late 19th century, two American lawyers, Samuel D Warren and Louis D Brandeis, wrote an article for the Harvard Law Review which set out privacy as the right to be left alone.