Here’s what you need to know about data privacy – and data security

Data privacy is all about the personal data of individuals – and ONLY about personal data.

Organisations deal with a lot of data that is highly confidential or sensitive in nature… yet is NOT Personal Data. For example, revenue numbers, inventory details, business projections, etc. are all critical data but NOT personal data. And hence, such data does not come under the purview of data privacy.

So if data privacy only concerns personal data, it is important to first understand what exactly personal data IS.

Most laws and regulations, more or less, define personal data as any piece or element of data that can - directly or indirectly, by itself or in combination with other data - identify or potentially identify an individual.

What do you mean by ‘directly or indirectly’?

Any personal data element that can directly identify an individual – such as her name or email id or fingerprint – is something that we all understand and relate to. Indirectly – as the term implies – means that the personal data element may not directly connect with a person – yet may lead to her identification . For example, a reference to a teenage girl living in an apartment complex of 10 apartments where there are no other teenage girls can immediately lead to the exact identification of the girl in question.

What do you mean by ‘by itself or in combination with other data’?

Some types of data – like, say, a person’s name or mail id – identify a person in a standalone manner. Meaning the piece of data is enough to identify the individual. Some pieces of data  by themselves may not immediately lead to the identification of an individual. However, when combined with other data, the identification can easily happen. For example, the IP address of a device, by itself, may not mean much. However, when combined with other data like the IP-to- physical address mapping in a back-end database of the service provider or with other external databases can easily identify the exact location of the individual. When this is further combined with subscription data collected by the service provider, it becomes fairly easy to narrow down the person associated with that IP address. As analytics and big data techniques get more and more sophisticated, the combination of seemingly unconnected databases can throw up data results that are totally unexpected.

What do you mean by ‘potentially identify an individual’?

As mentioned earlier, some data elements don’t identify a person right away. But they have the potential to identify a person when combined with other data. Hence this data is also considered personal data.

To make it easier to understand the personal data landscape, we, at Arrka, classify personal data into two broad categories: ‘above the surface’ and ‘below the surface.

Above-the-surface data is the kind of data that most of us intuitively know and understand is personal data and can relate to it. This is also the kind of data that gets discussed in various media and forums when personal data is the topic.

Below-the-surface data is the kind of data that we don’t necessarily intuitively realise is personal data.

Why is below-the-surface personal data critical?

Below-the-surface data about us gets generated literally every moment in time. Anything and everything that we do involving the digital realm generates vast amounts of data about us. Which means almost everything that we do today – what we see, what we read, what music we listen to, what we shop for, whom we talk to, what we browse, where we go, etc. Even when we sleep, our bodies’ parameters are being tracked and monitored by our fitness bands. When we are not at home, our smart devices – if they are on – are accessing our environment.

All of this is being tracked, analysed, and our detailed digital footprints and profiles are being built – not by one single entity but by many. There is a vast ecosystem of players out there – data brokers, advertisers, marketers, analytics providers, etc. – all legitimate – who are continually tracking us, building and enriching our profiles, and trading in them.

This data from these entities is then used by organisations to not only advertise to us and make us appropriate promotional offers, but to even tailor the kind of content we see and imbibe. Hence news, opinions, analyses, etc. gets tailored and delivered to us based on our profiles. In effect, this helps nudge and influence our opinions and beliefs, sometimes enhancing our prejudices and beliefs, sometime influencing our actions.

In fact, this is what the Facebook-Cambridge Analytica issue was all about. The fact that Cambridge Analytica targeted individuals and influenced them to the extent that they allegedly could influence the outcome of an election was a wake-up call to many.

So what really is data privacy? How is it connected to all of the above?

When we as individuals interact today with any organisation, we give away a lot of personal data. Some we know we are giving away – for example, when we fill out forms or post something online. Some we don’t realise is being “taken” from us, usually below-the-surface data. A third category of data is the personal data about us that the organisation procures from a third party. For example, when you apply for a loan, the organisation gets your credit score from a credit bureau. We often don’t realise this - that data about us can and is being obtained from third parties as well.

Now, in theory, in return for giving away all this personal data, we are expected to enjoy certain privileges. But there are things – and privileges - we need to know about.

·        Why is this data being collected from me in the first place?

·        What is it going to be used for?

·        Is it going to be shared with third parties?

·        Is my consent being taken for all of this?

·        Am I going to be able to access it whenever I want?

·        Am I being tracked and profiled?

·        Is my data being kept safe and secure?

All of the above are nothing but data privacy privileges. More accurately, they are commonly referred to as data privacy principles and rights.

The last point– about ensuring my data is kept safe and secure – is what data security is all above. Many people confuse the two terms and often use them interchangeably. However, data privacy and data security are two different things.

So do organisations really do all of the above? We don’t see this in India, do we?

Organisations usually do this only if they are required to do so by laws or regulations. Hence most privacy laws and regulations incorporate the above. India is yet to get a proper data privacy law. Some privacy principles are seen under Sec 43A, Sensitive Data Protection Rules of the Indian Information Technology Act 2008. However, they seem to have been largely ignored. This is exactly why having a suitable law in place is critical for India.

Data privacy is all about the personal data of individuals – and ONLY about personal data.

Organisations deal with a lot of data that is highly confidential or sensitive in nature… yet is NOT Personal Data. For example, revenue numbers, inventory details, business projections, etc. are all critical data but NOT personal data. And hence, such data does not come under the purview of data privacy.

So if data privacy only concerns personal data, it is important to first understand what exactly personal data IS.

Most laws and regulations, more or less, define personal data as any piece or element of data that can - directly or indirectly, by itself or in combination with other data - identify or potentially identify an individual.

(Disclaimer: The views and opinions expressed in this article are those of the author and do not necessarily reflect the views of YourStory.)