Avoid the privacy trap: data protection or data privacy?

I say data protection, you say data privacy.

I say 'risks to the rights and freedoms of individuals,' you say 'privacy risk.'

Is it as simple as being a Europe versus American thing? A bit like 'You say tomato, I say tomato.'

These days many professionals interchange these terms without thinking. A lot depends on where you are in the world, the company you are working for, its geographical scope, the nature of its business and so on.

So, context is a key but that's not all.

I think much also depends upon the certifications you may have studied for. Many learn the perceived 'correct terms' to pass exams, and then the terms stick in their daily work, often incorrectly, and they use the wrong terms in their policies, educate others and the words and terms spread far and wide, and they eventually become gospel.

We must also look at the dominance on a global level of a couple of the major certification organisations. They are US based and despite what is written in the text of European laws and regulations, the US-oriented words and terms get mixed in to their materials.

Unfortunately, what happens is, despite the complexity of European data protection regulations and data privacy laws (in the US), professionals working in this field then become nonchalant and use terms that they may have needed to remember to pass an exam, but in reality do not reflect the scope or context of their work.

Years ago, I embarrassingly fell into this trap, but now, I like to think I have largely dragged myself out of it, and I'm always happy to be corrected.

I appreciate that many companies have adopted their own terms in their own data protection and privacy frameworks, which is fine as long as their workforce is educated in a granular and contextual manner that provides true meaning, and not high level fluff.

In Europe, many professionals state in their Linkedin profiles they are working in, or with 'privacy' - it's privacy this, and privacy that.

Does this really matter? Many will say no, but I think it does, because, it does depend on many factors.

Take the term 'privacy risk' as an example.

I hear, and read this term so often, used casually in a GDPR context. The way I've seen it used is as an all-encompassing term including risk of harms to individuals, compliance risk, legal risk, regulatory risk to name a few.

To effective quantify and manage risk you need to separate the different types of risk and understand the downstream consequences, the ripple effects. You can't do this if everything is lumped together.

It's interesting to compare definitions of what 'privacy risk' means according to some well-known organisations.

Example 1: ISACA

"Any risk of informational harm to data subjects and/or organization(s), including deception, financial injury, health and safety injuries, unwanted intrusion and reputational injuries, where the harm or damage goes beyond economic and tangible losses."

Example 2: NIST

"The likelihood that individuals will experience problems resulting from data processing and the impact should they occur."

Example 3: IAPP

"A formula to calculate the impact of a new project on the privacy of the consumer base that will use the new systems; to evaluate the risk, one must consider the likelihood of the threat occurring multiplied by the potential impact if the threat occurs."

Make up your own mind - do they really make sense, are they useful?

From an EU perspective, I think the EU sets its stall out admirably with what one of the high level of objectives of GDPR is in Art. 1(2):

"This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data."

I'm sure you know that GDPR only mentions the word 'privacy' a couple of times in a reference:

"Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)" - i.e. the ePrivacy Directive

And if you read the ePrivacy Directive, there's much mention specifically of 'risk to privacy.'

I've always liked the EU perspective about risks to the rights and freedoms of individuals because it forces you to dig deep into the EU's Charter of Fundamental Rights and read through the 50 rights listed and categorised under Dignity, Freedoms, Equality, Solidarity, Citizen's Rights and Justice. So when you are conducting a DPIA, you should be assessing the risks to all these rights, and not just 'Respect for private and family life' and 'Protection of personal data.'

Also, remember if a personal data breach occurs you need to carry out a similar assessment based on the circumstances of the breach: what the data could reveal, the categories of data subjects, volumes, timing, context, etc.

Privacy risk - just one example, but there are many we need to be aware of, to avoid being caught in the Privacy Trap.

I now make a concerted effort to use the correct terms depending upon the context. So if your organisation falls under the recent new 'data privacy laws' in Delaware, Iowa, Nebraska or New Hampshire, then feel free to use 'data privacy' but don't use that term if your organisation is purely a European setup under GDPR, and whatever you do don't report 'privacy risk' to a governance board, unless you can truly articulate the term and the board members get it.

To conclude, as professionals we have a duty to educate people and that can never be effective if you are using a mish mash of terms that are incorrect, so why not make an effort to use the correct terms yourself?

Purpose and Means work with a number of global clients providing consultancy and contextual education and training. Interested in hearing more? Feel free to book a call to discuss your needs.