Data Protection versus Data Privacy
What’s the difference between data privacy and data protection? They seem intuitively self explanatory, and yet if you think about it for a minute, they are quite complex to describe – they are both related and yet separate at the same time. Even if you consider then mutually exclusive, the details of what is involved in doing the right thing, e.g. for GDPR compliance, is complicated to get right – see my recent whitepaper for getting consent banners done correctly (aka Cookie popup banners).
This is a quick post to clarify the broader differences and similarities, the ethics and responsibilities of data stakeholders…
Data privacy is about the right to collect data in the first place, any data. If you collect anonymous and benign data that cannot identify or profile an individual, then privacy implications are minimal – essentially ensuring that the data really is anonymous and benign – and verifying this regularly. That is actually not as simple as it first sounds – more on this later.
A real-world example of anonymous and benign data could be monitoring traffic patterns around a school for the purpose of improving safety. That is, counting the number of vehicles, vehicle type and speed, by time of day. It is easy to argue that you have a reasonable and legitimate purpose for wishing to collect such data and any impact on people’s privacy is minimal, if any.
But say you wanted to extend the study by also logging license plates, taking photos of the drivers, adding other “meta data” such as logging gender, approximate age of drivers and passengers. This starts to become privacy invasive. Even though you have not identified individuals, anonymity is being eroded. Its called the jigsaw effect.
Academic research has shown that 99.98% of Americans would be correctly re-identified in any “anonymous” dataset using only 15 demographic attributes. So if you wanted to extend your traffic study this way, you should get informed consent from your data subjects. This is one of the fundament points of GDPR law. It applies whether you are monitoring traffic in the street, or tracking visitors to your website.
Data protection is about protecting data. It encompasses your responsibilities after you have collected the data. That is, the process of safeguarding important information from corruption, compromise or loss.
For example, data protection is about the storing of data securely, restricting access to it, ensuring its dissemination is done responsibly, and providing transparency to your data subjects – informing the people effected on exactly what information has been collected about them and how it is being used. It is also about verifying all of these regularly.
Knowing what you have collected, explaining how you store it and use it, and being transparent in the process, is another fundament point of GDPR law.
Data Ethics – Doing the right thing
Just because you can do something, does not mean you should…!
Data ethics is about what you stand for – your values and morals – both at a personal and organisation level. If you are reading this post, then these are likely to be very important to you. They are also very likely to be important to your customers. Its about trust.
In the context of this post, trust is about how you go about both data privacy and protection. Its not about following the legalese of the law, though that is important of course. Its about doing what is right in terms of your data subjects – the people who’s data points you are collecting – your customers. Providing a process for data trust will always stand you in good stead, and is also the basis of GDPR law…
Privacy is an asset…
I have written a lot about privacy over the years and this recent article is a good place to start: How to Get Cookie Consent Right. My whitepaper is more formal advice with legal support to back up my reasoning for being smart about how you gain consent: How to Achieve a 70% Opt-In Rate for Website Consent (without any black arts).
Ultimately data is an asset – a very valuable asset to your organisation. From your customers point of view, their privacy and its protection is a USP. Handled correctly and customers with give you their valuable trust. Get it wrong and their lifetime value will plummet – who wants to do business with someone they do not trust?
If you collect data from your website (who does not?), then responsibilities as a data stakeholder come is two steps. Like all brand values, both require a considerable amount of work to get right, and can be summarised as follows:
The privacy step – Getting consent to track a visitors activity is your key first step i.e. the privacy. And you want to do that without the vast majority of your visitors opting out. Your web development team, marketing and sales teams are key stakeholders in this process. That is, don’t fall into the “compliance gap” and leave this solely to the legal team. Monitor that your site is consent compliant with tools such as Verified Data (note, I am the founder of this audit tool).
The data protection step – Once you have data, your responsibilities as a data stakeholder continue with the protection of it. Although different teams will/should pick this up, for example the IT or digital infrastructure teams, questions still need to asked. An example from a data stakeholder would be: “Are we certain that no personal data is being stored in Google Analytics, or elsewhere?” Again tools such as Verified Data can help you verify this.