28 January, every year, is celebrated at the International Data Privacy Day. Most of us today are unaware of and uninformed about how our personal information is being used, collected, or shared in our digital society. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action.
Read below to get yourself acquainted of the basics of Privacy!
What exactly is Data Privacy?
We are living in a world flooded with data. Much of it is generally and publicly available like the price of a product or commodity, the temperature outside, or the closing stock price of a particular company. However, there is so much more data which is highly personal to each and every individual, such as each person’s name and address, medical records and bank account information, photos, videos, passport information, browsing history, product preferences etc. When this data is in digital form many companies and corporations have access to this data, which they, in turn, analyse to generate meaningful patterns out of it and to market or cross-sell. It is but obvious that you and I would like to retain some control over our personal data and decide to whom we would like to share the data, and what such entity plans to do with the data so collected.
In short, Data Privacy is all about how corporations and institutions user personal data within an acceptable framework.
Isn’t Data Privacy and Data Security the same?
Data Security and data privacy are often used interchangeably, but there are distinct differences:
- Data Security protects data from compromise by external attackers and malicious insiders.
- Data Privacy governs how data is handled, processed, stored, and used.
To illustrate, an organisation may have encrypted the personal data while in rest and on transit. However, it may not have collected personal data with the approval of the data subject. In this case, the organisation may be compliant from a security standpoint, but not from a data privacy angle.
So, what constitutes Personal Data?
‘Personal Data’ generally refers to any information relating to an identified or identifiable natural person (popularly called as the ‘data subject’ internationally or ‘data principal’ in the Indian context). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Examples of personal data
- a name and surname.
- a home address.
- an email address such as firstname.lastname@example.org
- an identification card number.
- location data (for example the location data function on a mobile phone).
- an Internet Protocol (IP) address.
- a cookie ID.
- the advertising identifier of your phone.
- data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.
Examples of data not considered personal data
- a company registration number.
- an email address such as email@example.com
- anonymised data
I heard something called as Sensitive Personal Data. What is that?
Sensitive data is a “special category” of personal data that must be treated with extra security or specific processing conditions. Few Examples include:
- Racial or ethnic origin.
- Political opinions.
- Religious or philosophical beliefs.
- Genetic or Biometric data
- Biometric data (where processed to uniquely identify someone)
- data concerning a person’s sex life or sexual orientation
Hmm, so what now?
Considering the massive growth of digital data, legislations across the globe are bringing in multiple frameworks and rules to ensure the personal data in the hands of corporations is not misused. These rules of legislations require Corporations to ensure the following at a minimum:
- Process the data lawfully, fairly and in a transparent manner
- Collect for specified, explicit and legitimate purposes and not further process in a manner that is incompatible with those purposes
- Collect and process data to the extent adequate, relevant, and necessary
- Ensure the data is accurate
- Ensure data is stored or retained for a specific period
- Processed in a manner that ensures appropriate security of the personal data, and ensure adequate security of the data
- Be accountable and demonstrate compliance with the legal requirements
Are there any rights which I can enforce as, the Data Subject?
The data subject in general has the right over his data. Depending upon the country to country, the rights may differ. However, below are a few common rights noticed:
- the right to be informed
- the right of access
- the right to rectification
- the right to erasure
- the right to restrict processing
- the right to data portability (country-specific)
- the right to object to processing
- the rights to not be evaluated based on automated processing
I heard of GDPR. What is that?
The General Data Protection Regulation (GDPR) is a regulation in EU which governs the law on data protection and privacy in the European Union and the European Economic Area. It has been considered as the benchmark privacy law across the world. It rose into fame thanks to global privacy initiatives, and the hefty penalties it imposes for those who do not comply. The penalties can go as high as 20 Million Euros or 4% of annual global turnover — whichever is greater!
How about Data Privacy in India?
Laws in India regarding data privacy were ambiguous for a long time, but in 2017 the Supreme Court of India in the “Puttaswamy” case ruled that the Indian constitution guaranteed a fundamental right to privacy for every citizen, thereby recognising Privacy as a fundamental right. While the Information Technology Act, 2002, as amended 2008, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘the SPDI Rules’) gave a broad requirement, India still lacks an organised framework on “Data Privacy”. Accordingly, the Personal Data Protection Bill, 2019 has been introduced in the Parliament and should be soon expected to be codified.
How about Data Privacy across the globe?
While the concept of data privacy is catching up across the globe, the below image may help you get some idea on the state of affairs.
So, what next?
With great power comes great responsibility. If Data Security led the last decade, the next decade is all about how organisations manage “Privacy” and yet be accountable and innovative! Exciting times ahead.
Watch this space for regular updates on Privacy, Governance, Risk, and Technology.
About the Author
CA Narasimhan Elangovan, is a practising Chartered Accountant and partner KEN & Co., Bengaluru, India. He is a Privacy Practitioner, GRC professional, Digital transformation catalyst, an author, and a keynote speaker. He believes in the power of technology to solve everyday problems. He can be reached at firstname.lastname@example.org or on LinkedIn (https://www.linkedin.com/in/narasimhan-elangovan-93678777/)
The views discussed in this article are only for information purposes and are the personal views of the author. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. No part of this material shall be construed as a solicitation of services or an invitation of any sort whatsoever from KEN & Co or to create a professional relationship.