What’s the difference between data privacy and data protection? They seem intuitively self explanatory, and yet if you think about it for a minute, they are quite complex to describe – they are both related and yet separate at the same time. Even if you consider them mutually exclusive, the details of what is involved in doing the right thing, e.g. for GDPR compliance, is complicated to get right – see my recent whitepaper for getting consent banners done correctly (aka Cookie popup banners).
Privacy is a human right. It is not a commodity and exists whether data is collected about me or not.
Data Protection only exists if data has been collected. As data is a commodity, it requires regulation to avoid abuse. Hence, data protection.
In this post I attempt to clarify the broader differences and similarities, the ethics and responsibilities of data stakeholders.
Data Privacy Defined
Data privacy is about the right to collect data in the first place, any data. Within the EU, the law that covers this is called the ePrivacy Directive (ePD).
If you collect anonymous and benign data that cannot identify or profile an individual, then privacy implications are minimal – essentially ensuring that the data really is anonymous and benign – and verifying this regularly. That is actually not as simple as it first sounds – more on this later.
A real-world example of anonymous and benign data could be monitoring traffic patterns around a school for the purpose of improving safety. That is, counting the number of vehicles, vehicle type and speed, by time of day. It is easy to argue that you have a reasonable and legitimate purpose for wishing to collect such data and any impact on people’s privacy is minimal, if any.
But say you wanted to extend the study by also logging license plates, taking photos of the drivers, adding other “meta data” such as logging gender, approximate age of drivers and passengers. This starts to become privacy invasive. Even though you have not identified individuals, anonymity is being eroded. Its called the jigsaw effect.
Academic research published in Nature has shown that 99.98% of Americans would be re-identified in any “anonymous” dataset using only 15 demographic attributes. So if you wanted to extend your traffic study this way, you need informed consent from your data subjects. This is a fundament point of GDPR. It applies whether you are monitoring traffic, or tracking website visitors.
Data Protection Defined
Data protection is about protecting data. It encompasses your responsibilities after you have collected the data. That is, the process of safeguarding important information from corruption, compromise or loss. Within the EU, the law that covers this is called the GDPR.
Data protection is about the storing of data securely, restricting access to it, ensuring its dissemination is done responsibly, and providing transparency to your data subjects – informing the people effected on exactly what information has been collected about them, how it is being used, and their rights to modify it.
It is also about verifying all of these regularly. Knowing what you have collected, explaining how you store it and use it, and being transparent in the process, is another fundament point of GDPR law.
Data Ethics Defined
Just because you can, does not mean you should. Data ethics is about what you stand for – your values and morals – both at a personal and organisation level. If you are reading this post, then these are likely to be very important to you. They are also very likely to be important to your customers. It’s about trust.
In the context of this post, trust is about how you go about both data privacy and protection. It’s not about following the legalese of the law, though that is important of course. Its about doing what is right in terms of your data subjects – the people who’s data points you are collecting – your customers. Providing a process for data trust will always stand you in good stead, and is also the basis of GDPR law.
Treat Privacy as a Business Asset
Ultimately data is an asset – a very valuable asset to your organisation. It can also be a business risk. From your customers point of view, their privacy and its protection is a USP. Handled correctly and customers with give you their valuable trust. Get it wrong and their lifetime value will plummet – who wants to do business with someone they do not trust?
If you collect data from your website (who does not?), then responsibilities as a data stakeholder come in two parts. Like all brand values, both require a considerable amount of work to get right, and can be summarised as follows:
- STEP 1: Privacy – Getting consent to track a visitors activity is your key first step i.e. the privacy. And you want to do that without the vast majority of your visitors opting out. Your web development team, marketing and sales teams are key stakeholders in this process. That is, don’t fall into the “compliance gap” and leave this solely to the legal team. Monitor that your site is consent compliant with tools such as Verified Data (note, I am the founder of this audit tool).
- STEP 2: Data Protection – Once you have data, your responsibilities as a data stakeholder continue with the protection of it. Although different teams will/should pick this up, for example the IT or digital infrastructure teams, questions still need to asked. An example from a data stakeholder would be: “Are we certain that no personal data is being stored in Google Analytics, or elsewhere?” Again tools such as Verified Data can help you verify this.
Other reading material:
I have written a lot about privacy over the years and this recent article is a good place to start: How to Get Cookie Consent Right. The follow up whitepaper is more formal advice with legal support to back up my reasoning for being smart about how you gain consent: Best Practice Consent Guide – How to Achieve a 70% Opt-In Rate (without any black arts).