Skip to main content

Avoid the privacy trap: data protection or data privacy?

·6 mins
GDPR Privacy Culture Training Design Accountability Frameworks

The terms “data protection” and “data privacy” are often used interchangeably across different regions and contexts, influenced by factors such as geographic location, professional certifications, and global standards, but it is important to use the correct terminology based on the specific legal framework or context to ensure clarity and effective education.

Mind the Privacy Trap

I say data protection, you say data privacy.

I say ‘risks to the rights and freedoms of individuals,’ you say ‘privacy risk.’

Is it as simple as being a Europe versus American thing? A bit like ‘You say tomato, I say tomato.’

These days many professionals interchange these terms without thinking. A lot depends on where you are in the world, the company you are working for, its geographical scope, the nature of its business and so on.

So, context is a key but that’s not all.

I think much also depends upon the certifications you may have studied for. Many learn the perceived ‘correct terms’ to pass exams, and then the terms stick in their daily work, often incorrectly, and they use the wrong terms in their policies, educate others and the words and terms spread far and wide, and they eventually become gospel.

We must also look at the dominance on a global level of a couple of the major certification organisations. They are US based and despite what is written in the text of European laws and regulations, the US-oriented words and terms get mixed in to their materials.

Unfortunately, what happens is, despite the complexity of European data protection regulations and data privacy laws (in the US), professionals working in this field then become nonchalant and use terms that they may have needed to remember to pass an exam, but in reality do not reflect the scope or context of their work.

Years ago, I embarrassingly fell into this trap, but now, I like to think I have largely dragged myself out of it, and I’m always happy to be corrected.

I appreciate that many companies have adopted their own terms in their own data protection and privacy frameworks, which is fine as long as their workforce is educated in a granular and contextual manner that provides true meaning, and not high level fluff.

In Europe, many professionals state in their Linkedin profiles they are working in, or with ‘privacy’ - it’s privacy this, and privacy that.

Does this really matter? Many will say no, but I think it does, because, it does depend on many factors.

Take the term ‘privacy risk’ as an example.

I hear, and read this term so often, used casually in a GDPR context. The way I’ve seen it used is as an all-encompassing term including risk of harms to individuals, compliance risk, legal risk, regulatory risk to name a few.

To effective quantify and manage risk you need to separate the different types of risk and understand the downstream consequences, the ripple effects. You can’t do this if everything is lumped together.

It’s interesting to compare definitions of what ‘privacy risk’ means according to some well-known organisations.

Example 1: ISACA

“Any risk of informational harm to data subjects and/or organization(s), including deception, financial injury, health and safety injuries, unwanted intrusion and reputational injuries, where the harm or damage goes beyond economic and tangible losses.”

Example 2: NIST

“The likelihood that individuals will experience problems resulting from data processing and the impact should they occur.”

Example 3: IAPP

“A formula to calculate the impact of a new project on the privacy of the consumer base that will use the new systems; to evaluate the risk, one must consider the likelihood of the threat occurring multiplied by the potential impact if the threat occurs.”

Make up your own mind - do they really make sense, are they useful?

From an EU perspective, I think the EU sets its stall out admirably with what one of the high level of objectives of GDPR is in Art. 1(2):

“This Regulation protects fundamental rights and freedoms of natural persons and in particular their right to the protection of personal data.”

I’m sure you know that GDPR only mentions the word ‘privacy’ a couple of times in a reference:

“Directive 2002/58/EC of the European Parliament and of the Council of 12 July 2002 concerning the processing of personal data and the protection of privacy in the electronic communications sector (Directive on privacy and electronic communications)” - i.e. the ePrivacy Directive

And if you read the ePrivacy Directive, there’s much mention specifically of ‘risk to privacy.’

I’ve always liked the EU perspective about risks to the rights and freedoms of individuals because it forces you to dig deep into the EU’s Charter of Fundamental Rights and read through the 50 rights listed and categorised under Dignity, Freedoms, Equality, Solidarity, Citizen’s Rights and Justice. So when you are conducting a DPIA, you should be assessing the risks to all these rights, and not just ‘Respect for private and family life’ and ‘Protection of personal data.’

Also, remember if a personal data breach occurs you need to carry out a similar assessment based on the circumstances of the breach: what the data could reveal, the categories of data subjects, volumes, timing, context, etc.

Privacy risk - just one example, but there are many we need to be aware of, to avoid being caught in the Privacy Trap.

I now make a concerted effort to use the correct terms depending upon the context. So if your organisation falls under the recent new ‘data privacy laws’ in Delaware, Iowa, Nebraska or New Hampshire, then feel free to use ‘data privacy’ but don’t use that term if your organisation is purely a European setup under GDPR, and whatever you do don’t report ‘privacy risk’ to a governance board, unless you can truly articulate the term and the board members get it.

To conclude, as professionals we have a duty to educate people and that can never be effective if you are using a mish mash of terms that are incorrect, so why not make an effort to use the correct terms yourself?

Frequently Asked Questions #

What is the difference between data protection and data privacy? Data protection is the term used in EU law — including the GDPR — to describe the legal framework governing the processing of personal data. It covers the full lifecycle of personal data and is grounded in the protection of fundamental rights and freedoms. Data privacy is the term more commonly used in US legislation, such as state-level consumer privacy laws in California, Virginia, and Colorado. Using the wrong term in the wrong context can create confusion in policies, training, and board reporting.

Does the GDPR use the term “privacy”? The GDPR mentions “privacy” only in reference to the ePrivacy Directive (Directive 2002/58/EC). The regulation itself is built around the concept of protecting personal data as a fundamental right under Article 8 of the EU Charter of Fundamental Rights — not around the narrower concept of privacy. The GDPR’s risk framework refers to “risks to the rights and freedoms of natural persons,” which encompasses far more than privacy alone.

What is wrong with using the term “privacy risk” in a GDPR context? The term “privacy risk” is too narrow for GDPR purposes. When conducting a Data Protection Impact Assessment (DPIA) under Article 35, you must assess risks to all the rights and freedoms listed in the EU Charter of Fundamental Rights — including dignity, equality, non-discrimination, and freedom of expression — not just the right to private life. Lumping all risks under “privacy risk” makes it harder to identify, quantify, and manage distinct categories of harm.

Author
Tim Clements
Tim Clements is Business Owner of Purpose and Means, a data protection and GRC consultancy based in Copenhagen, operating globally. He helps data protection and GRC leaders simplify complexity into actionable strategies, providing tools, training, and support to engage and influence across the organisation. Tim is a Chartered Fellow of the BCS (British Computer Society).

Browse by Topic

access controls accountability accountability frameworks ai act ai ethics ai governance ai infrastructure sovereignty ai literacy ai regulation article 12 article 13 article 22 article 25 article 28 article 30 article 32 article 35 article 46 article 5 article 6 article 7 audit and assessment automated decision-making awareness awareness campaigns behaviour change beyond legal board level board reporting case law change management chief people officer cloud infrastructure compliance monitoring consent cookie compliance cross-border transfers customer success dark patterns data accuracy data breach notification data flows data mapping data minimisation data processing agreements data protection data protection by design data protection culture data protection day data protection hero data protection leader data quality data residency data retention data science data sovereignty data subject rights datatilsynet deceptive design design thinking direct marketing dora dpia education employee data employee engagement enterprise architecture eprivacy esg executive communication external legal counsel finance and banking gdpr gdpr at 10 generative ai governance grc healthcare horizon scanning hr and data protection hr and employment incident response information security intellectual property internal communications international transfers lawful basis leadership lego serious play machine learning marketing nis2 passwords privacy by design privacy culture product management profiling public sector purpose limitation quantum computing records of processing regulatory guidance risk management risk reduction ropa sales security software development special category data standard contractual clauses strategic planning sub-processors supply chain sustainability system design third-party risk training design transparency trend radar ux design vendor management visual communication weak signals workshop facilitation

Related Posts