DEREK SMITH: Data protection and privacy difference not readily obvious


Derek Smith

Data privacy and data protection have distinct meanings and implications, but they are often used interchangeably. Business leaders must understand the differences between these two concepts, and how they impact their operations, as they increasingly rely on data for decision-making. The next three articles, including this one, will provide the necessary clarification and insights on data privacy and protection tools over the following month.

A person's right to privacy refers to their ability to control how their personal information is collected, used and disclosed. In other words, it is the right of individuals to know what data is being collected on them; how it is being used; and who it is being shared with. Therefore, providing individuals with privacy rights and protecting their personal information is crucial to data privacy laws.

Data protection, meanwhile, refers to a company's measures to protect its data. Protecting data means preventing it from being lost, stolen or accessed by unauthorised parties. A combination of technical standards, such as encryption and firewalls, and company policies and procedures are required to protect sensitive information.

While the two concepts are related, they are not interchangeable. As noted by privacy expert Michelle Dennedy: "The difference between privacy and security is not always easy to see. Security protects the perimeter - it says who is in and who is out - while privacy is the content within."

Companies that are serious about protecting their own, and their customers', interests should develop a comprehensive data privacy and protection programme that addresses both privacy and security concerns. Such a programme should include policies and procedures for collecting, storing and processing data, and measures for securing data and ensuring compliance with applicable laws and regulations.

There is one area where the difference between data privacy and data protection becomes particularly apparent: In the case of a data breach. As a consequence of a breach, companies may be held liable for both data privacy violations (such as failing to inform individuals whose data has been compromised) and data protection failures (such as failing to implement adequate technical safeguards).

As noted by privacy expert, and chief executive of the International Association of Privacy Professionals, Trevor Hughes: "If you look at the most damaging data breaches that have happened over the last decade, most of them could have been prevented by good security practices." As a result, strong data privacy and data protection programmes are essential.

In conclusion, data privacy and data protection are related concepts. They are not interchangeable. Data privacy is concerned with protecting the privacy rights of individuals, while data protection is concerned with securing data from loss or unauthorised access. Companies that are serious about safeguarding their own, and their customers', interests should develop comprehensive programmes addressing privacy and security concerns. As data continues to play an increasingly important role in business, understanding these distinctions is more critical than ever.

NB: About Derek Smith Jr

Derek Smith Jr. has been a governance, risk and compliance professional for more than 20 years. He has held positions at a TerraLex member law firm, a Wolfsburg Group member bank and a ‘big four’ accounting firm. Mr Smith is a certified anti-money laundering specialist (CAMS), and the assistant vice-president, compliance and money laundering reporting officer (MLRO) for CG Atlantic’s family of companies (member of Coralisle Group) for The Bahamas and Turks & Caicos.


Use the comment form below to begin a discussion about this content.

Commenting has been disabled for this item.