Data Privacy: Disclosing the Elements

The world of data privacy presents its own unique challenges, which are constantly changing as the goal posts move; dictated by new legislation and new heightened requirements by businesses across the globe

Aside from the exponential rise in attention it has received at board level, particularly in recent times with GDPR, what sets data privacy apart from other new business trends is the mass interest it receives within professional workstreams and even, often when it goes wrong, mainstream media.

Much of this new attention comes from the speed with which this field is changing. More and more countries, sectors and associations are now recognising the importance of data privacy in ensuring companies and other organisations ‘play fair’ in how they handle their (really, their customers’) information. However, it’s clear the level of up-to-date knowledge and confidence in its practical implementation is often obstructed by how complex, jargon-filled and intricate data privacy can be.

To help decipher it, we have begun a new project: The Periodic Table of Data Privacy. It has been designed to collate and categorise the 118 most critical “elements” of data privacy and present them in an easily digestible format. This is an ongoing project – as new components begin to influence the makeup of this space, we will reassess the table and make changes where needed. It is also an open project, and we are happily accepting feedback from the privacy community on how we may need to make changes. We have had some excellent input so far and have already taken some on board to create this second version. I’m sure a third will not be far behind!

With only 118 elements available to us, we have had to make some tough decisions over what can be included and where it is placed. Some of the reasons behind our decision making are outlined below, and an even more thorough explanation is included over on our blog – we would appreciate any further suggestions, particularly if you feel an element is missing.

The categories

The format replicates the original periodic table, with each of the data privacy elements given its own unique position within the table based on its characteristics. For example, the triangular section to the right of the original is dedicated to reactive non-metals – very common elements that are the building blocks of all life, such as carbon and nitrogen and hydrogen. This was a perfect fit for the fundamental principles of data protection, as without these, there could be no privacy law.

Similarly, the bottom of the main section is dedicated to unknown elements – those that are under close scientific investigation and will hopefully be better understood in the future. This space in our table has been reserved for the anticipated future developments of data privacy law. Naturally, we anticipate this area will be subject to the most frequent changes.

Hydrogen is the most common element in the universe and is also the simplest and most fundamental. Within the periodic table, it sits apart from all other elements. This is similar to the role of ethics within the data privacy sphere – something that must also be considered separately to the technicalities of how we work with data. After all, privacy legislation is the codification of what society deems to be the most ethical and appropriate way in which personal data can be processed.

Achieving compliance ‘Com’

We decided to use some ‘artistic licence’ and put compliance, element number 21, in quotes. This was for a simple reason: because it is impossible to achieve. It’s a common data privacy misperception that compliance can be achieved, and yet it can’t. At least not in the way that businesses commonly understand it, i.e. a one-off demonstration of adherence to certain rules.

Data privacy regulations are not designed for companies to evidence their adherence at a single “point in time” and receive certification that at that moment, they satisfied the law’s requirements. Data privacy requires ongoing efforts and literally constant vigilance to ensure that data subjects’ rights are continuously protected. A business’ data and processes are far too fluid for adherence right now to mean anything for adherence in the future, making claims of “compliance” utterly empty – and so-called “certifications of compliance” worthless.

The impact of Brexit (EUx)

The data privacy ramifications of Brexit are critical, and most notably, whether the UK is officially an adequate state in the eyes of the EU. But this exact scenario could be repeated in other EU countries such as Italy, the Netherlands, France and others who have had robust parliamentary discussions over whether they should follow the UK and leave the EU. The inclusion of this element emphasises the need for privacy professionals to be aware of the latest developments in geopolitics and its impact on data privacy, in addition to understanding the current legislation in place.

Right to rectification

We have deliberately not included this in the table and the decision came down to the constraints of how many elements we had available. Perhaps we are being too literal, but it is regardless a very useful exercise to think in further depth about these rights and understand them better in order to work out their classifications.

Not including this in the current version might suggest we are prioritising some rights over others, but we are simply trying to accommodate a very complex world within the parameters of this table. More importantly though, we also felt that Rectification is sufficiently addressed by Accuracy and Availability in the ‘fundamental principles of data protection’ section, so the spirit of the right still remains. We also needed to make room for the below.

Right to be informed

Many might argue that the right to be informed is covered by transparency and other fundamental principles already included elsewhere in the table, and so could have been excluded. However we wanted to include it in order to highlight an interesting observation.

This right may be universal, but the way it manifests in various legislative frameworks varies drastically. For instance, the GDPR states the right must be protected proactively through clear instructions in the privacy notices. In contrast, Canada’s PIPEDA simply states that such information should be made available, with no stipulation of it being published proactively.

We also find that many businesses often confuse this right with that of access. For the sake of clarity, the right to be informed is concerned with understanding how data is used, while access is simply a matter of a subject being able to view what data is held.

Many of the decisions for this table were based on available space, whether there was overlap with other elements and in some particular cases, priorities. But please let us know if anything in here is confusing. In light of Brazil’s imminent laws and other new announcements we are already working on updating the future developments section, and of course changes here will have knock-on effects on the core legislation area above it, and perhaps elsewhere. It is a constantly changing challenge, which is what makes this industry so interesting to follow and be a part of!

About the Author

Sophie Chase-Borthwick is Director of Privacy Services at Calligo. Calligo supports businesses in the optimization of their data, and their constant adherence to relevant international or industry-specific data protection legislation. We are data optimization and privacy specialists.