Data, Privacy and You.

What exactly is Data Privacy?

We are living in a world flooded with data. Much of it is generally and publicly available like the price of a product or commodity, the temperature outside, or the closing stock price of a particular company. However, there is so much more data which is highly personal to each and every individual, such as each person’s name and address, medical records and bank account information, photos, videos, passport information, browsing history, product preferences etc. When this data is in digital form many companies and corporations have access to this data, which they, in turn, analyse to generate meaningful patterns out of it and to market or cross-sell. It is but obvious that you and I would like to retain some control over our personal data and decide to whom we would like to share the data, and what such entity plans to do with the data so collected.

Isn’t Data Privacy and Data Security the same?

Data Security and data privacy are often used interchangeably, but there are distinct differences:

  • Data Security protects data from compromise by external attackers and malicious insiders.
  • Data Privacy governs how data is handled, processed, stored, and used.

So, what constitutes Personal Data?

‘Personal Data’ generally refers to any information relating to an identified or identifiable natural person (popularly called as the ‘data subject’ internationally or ‘data principal’ in the Indian context). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Examples of personal data

  • a name and surname.
  • a home address.
  • an email address such as name.surname@company.com
  • an identification card number.
  • location data (for example the location data function on a mobile phone).
  • an Internet Protocol (IP) address.
  • a cookie ID.
  • the advertising identifier of your phone.
  • data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

Examples of data not considered personal data

  • a company registration number.
  • an email address such as info@company.com
  • anonymised data

I heard something called as Sensitive Personal Data. What is that?

Sensitive data is a “special category” of personal data that must be treated with extra security or specific processing conditions. Few Examples include:

  • Racial or ethnic origin.
  • Political opinions.
  • Religious or philosophical beliefs.
  • Genetic or Biometric data
  • Biometric data (where processed to uniquely identify someone)
  • data concerning a person’s sex life or sexual orientation

Hmm, so what now?

Considering the massive growth of digital data, legislations across the globe are bringing in multiple frameworks and rules to ensure the personal data in the hands of corporations is not misused. These rules of legislations require Corporations to ensure the following at a minimum:

  • Process the data lawfully, fairly and in a transparent manner
  • Collect for specified, explicit and legitimate purposes and not further process in a manner that is incompatible with those purposes
  • Collect and process data to the extent adequate, relevant, and necessary
  • Ensure the data is accurate
  • Ensure data is stored or retained for a specific period
  • Processed in a manner that ensures appropriate security of the personal data, and ensure adequate security of the data
  • Be accountable and demonstrate compliance with the legal requirements

Are there any rights which I can enforce as, the Data Subject?

The data subject in general has the right over his data. Depending upon the country to country, the rights may differ. However, below are a few common rights noticed:

  • the right to be informed
  • the right of access
  • the right to rectification
  • the right to erasure
  • the right to restrict processing
  • the right to data portability (country-specific)
  • the right to object to processing
  • the rights to not be evaluated based on automated processing

I heard of GDPR. What is that?

How about Data Privacy in India?

Laws in India regarding data privacy were ambiguous for a long time, but in 2017 the Supreme Court of India in the “Puttaswamy” case ruled that the Indian constitution guaranteed a fundamental right to privacy for every citizen, thereby recognising Privacy as a fundamental right. While the Information Technology Act, 2002, as amended 2008, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘the SPDI Rules’) gave a broad requirement, India still lacks an organised framework on “Data Privacy”. Accordingly, the Personal Data Protection Bill, 2019 has been introduced in the Parliament and should be soon expected to be codified.

How about Data Privacy across the globe?

While the concept of data privacy is catching up across the globe, the below image may help you get some idea on the state of affairs.

So, what next?

With great power comes great responsibility. If Data Security led the last decade, the next decade is all about how organisations manage “Privacy” and yet be accountable and innovative! Exciting times ahead.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Narasimhan Elangovan

Narasimhan Elangovan

CA Narasimhan Elangovan, is a partner KEN & Co., Bengaluru, India. He is a Privacy Practitioner, GRC professional, Digital transformation catalyst.