Data Privacy or Data Protection?
A society needs data about its members to function properly. Too little information and society stops working efficiently, too much information and its members lose their freedoms. The fundamental rights to privacy, personality and data protection are the backbone of a free society. There can be no freedom where the individual is not in control of their data, feels observed, tracked or continuously assessed.
Privacy is essential to autonomy and the protection of human dignity, serving as the foundation upon which many other human rights are built. Privacy enables us to create barriers and manage boundaries to protect ourselves from unwarranted interference in our lives, which allows us to negotiate who we are and how we want to interact with the world around us. Privacy helps us establish boundaries to limit who has access to our bodies, places and things, as well as our communications and our information.
Broadly speaking, privacy can be understood as the right to be left alone, or the freedom from interference or intrusion in our lives. On the other hand, data protection is the right to have our personal data protected from unfair abuse.
In fact, the European Charter of Fundamental Rights contains separate rights to privacy and data protection:
Art. 7. Respect for private and family life: Everyone has the right to respect for his or her private and family life, home and communications.
Art. 8. Protection of personal data: Everyone has the right to the protection of personal data concerning him or her. Such data must be processed fairly for specified purposes and on the basis of the consent of the person concerned or some other legitimate basis laid down by law. Everyone has the right of access to data which has been collected concerning him or her, and the right to have it rectified.
Still, the terms “data protection” and “data privacy” are often used interchangeably when referring to the protection of personal data. So, even though strictly speaking the correct term is data protection, for the sake of simplicity we can consider both terms as referring to the same thing.
Data protection rules like the GDPR (AVG in Dutch) lays down rules relating to the protection of personal data. These rules are arguably meant to ensure the “fair” use of personal data – not too little, not too much. The diverse chapters presented in the GDPR text ensure that the fundamental rights and freedoms of the individual are respected while their data is being processed. For example, chapter 3 is about the rights of the data subjects, chapter covers the rules of international data transfers, and chapter 8 lays down the remedies, liability and penalties.
In other words, the GDPR rules try to ensure that when a society uses data about its members to function properly, it does so while respecting its member’s fundamental rights and freedoms, to allow the free flow of personal data within the European Union.
Data Privacy vs. Data Security – it is not the same thing
Data privacy is often confused with data security – they are related, but are definitely not the same. Security protects the interest of the entity using data (personal or otherwise), whereas privacy protects the interest of the individual behind personal data. Moreover, security arguably protects against unexpected events (like loss of confidentiality, integrity and availability), whereas privacy seeks to protect against both unexpected and expected events, when they have an impact on data subjects (like failure to provide appropriate information, to limit processing to specific purposes, lacking of lawful basis for processing, failure to respond to data access requests from individuals, etc.).
Data security is absolutely necessary for data protection, we can’t have good data privacy without good data security. However, a process that only implements security (integrity and confidentiality) without implementing all the other data protection requirements (lawfulness, fairness and transparency, purpose limitation, data minimisation, accuracy, storage limitation and accountability), will have good security with bad data privacy.
What do we need to do to comply with the GDPR?
The GDPR consists of 11 chapters with 99 articles in total – it is not an easy task for data controllers (the individuals in charge of deciding why and how personal data is processed) to understand what needs to be done to achieve compliance. Our objective is to facilitate the task of compliance, by providing an interpretation of the myriad articles of the GDPR into a protocol designed to facilitate the process of evaluating and documenting the GDPR compliance of your data processing activities – The privacy scan framework.
At the Geosciences faculty, the Privacy Scan is the tool that ensures and demonstrates compliance with the GDPR.