28 January, every year, is celebrated at the International Data Privacy Day. Most of us today are unaware of and uninformed about how our personal information is being used, collected, or shared in our digital society. The purpose of Data Privacy Day is to raise awareness and promote privacy and data protection best practices. Data Privacy Day aims to inspire dialogue and empower individuals and companies to take action.
Read below to get yourself acquainted of the basics of Privacy!
What exactly is Data Privacy?
We are living in a world flooded with data. Much of it is generally and publicly available like the price of a product or commodity, the temperature outside, or the closing stock price of a particular company. However, there is so much more data which is highly personal to each and every individual, such as each person’s name and address, medical records and bank account information, photos, videos, passport information, browsing history, product preferences etc. When this data is digital form many companies and corporations have access to this data, which they in turn analyse to generate meaningful patterns out of it and to market or cross sell. It is but obvious that you and I would like to retain some control over our personal data and decide to whom we would like to share the data, and what such entity plans to do with the data so collected.
In short, Data Privacy is all about how corporations and institutions user personal data within the acceptable framework.
Isn’t Data Privacy and Data Security the same?
Data Security and data privacy are often used interchangeably, but there are distinct differences:
To illustrate, an organisation may have encrypted the personal data while in rest and on transit. However, it may not have collected the personal data with the approval of the data subject. In this case the organisation may be compliant from a Security standpoint, but not from a data privacy angle.
So, what constitutes Personal Data?
‘Personal Data’ generally refers to any information relating to an identified or identifiable natural person (popularly called as the ‘data subject’ internationally or ‘data principal’ in the Indian context). An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
Examples of personal data
Examples of data not considered personal data
I heard something called as Sensitive Personal Data. What is that?
Sensitive data is a “special category” of personal data that must be treated with extra security or specific processing conditions. Few Examples include:
Hmm, so what now?
Considering the massive growth of digital data, legislations across the globe are bringing in multiple frameworks and rules to ensure the personal data in the hands of corporations is not misused. These rules of legislations require Corporations to ensure the following at minimum:
Are there any rights which I can enforce as, the Data Subject?
The data subject in general has the right over his data. Depending upon country to country the rights may differ. However, the below are a few common rights noticed:
I heard of GDPR. What is that?
The General Data Protection Regulation (GDPR) is a regulation in EU which governs the law on data protection and privacy in the European Union and the European Economic Area. It has been considered as the benchmark privacy law across the world. It rose into fame thanks to global privacy initiatives, and the hefty penalties it imposes for those who do not comply. The penalties can go as high as 20 Million Euros or 4% of annual global turnover – whichever is greater!
How about Data Privacy in India?
Laws in India regarding data privacy were ambiguous for a long time, but in 2017 the Supreme Court of India in the “Puttaswamy” case ruled that the Indian constitution guaranteed a fundamental right to privacy for every citizen, there by recognising Privacy as a fundamental right. While the Information Technology Act, 2002, as amended 2008, and the Information Technology (Reasonable Security Practices and Procedures and Sensitive Personal Data or Information) Rules, 2011 (‘the SPDI Rules’) gave a broad requirement, India still lacks an organised framework on “Data Privacy”. Accordingly, the Personal Data Protection Bill, 2019 has been introduced in the Parliament and should be soon expected to be codified.
How about Data Privacy across the globe?
While the concept of data privacy is catching up across the globe, the below image may help you get some idea on the state of affairs.
So, what next?
With great power comes great responsibility. If Data Security lead the last decade, the next decade is all about how organisations manage “Privacy” and yet be accountable and innovative! Exciting times ahead.
Watch this space for regular updates on Privacy, Governance, Risk, and Technology.
About the Author
CA Narasimhan Elangovan, is a practicing Chartered Accountant and partner KEN & Co., Bengaluru, India. He is a Privacy Practitioner, GRC professional, Digital transformation catalyst, an author, and a keynote speaker. He believes in the power of technology to solve everyday problems. He can be reached at [email protected]
Disclaimer :- The views discussed in this article are only for information purposes and are the personal views of the author. This publication contains information in summary form and is therefore intended for general guidance only. It is not intended to be a substitute for detailed research or the exercise of professional judgment. No part of this material shall be construed as a solicitation of services or an invitation of any sort whatsoever from KEN & Co or to create a professional relationship.