Before you get up in arms, yes, both the DPA and GDPR contain elements of true data protection, but addressing that can be summarized in 3 words; ‘appropriate security measures‘. Everything else in both the GDPR and DPA refers to privacy.
In case you’re not familiar with the difference between security and privacy – or haven’t ready any of my other blogs – data security does NOT equal privacy. Loss of data can potentially lead to a loss in privacy, but misuse of the data is not prevented by the normal implementation of data security controls. Misuse of data = loss of privacy.
For example; even a data-centric security control like Data Loss Prevention (DLP) is not going to tell you if you have appropriate consent, legitimate interest, or appropriate contract language.
So imagine the confusion of the vast majority of the population, who have likely not read either regulation, when unscrupulous cybersecurity experts offer unqualified ‘GDPR compliance’ services. That’s like a plumber offering to build the entire house …maybe they have the skills, but what are the chances?
In truth, the laws should be called the General Data Subject Privacy and Data Protection Regulation (GDSPDPR) and the Data Subject Privacy and Data Protection Act (DSPDPA) respectively. Because that is exactly what they are. Even I hate acronyms greater than 4 characters, but it would have helped!
So how did this confusion begin in the first place? First you have to remember that our concept of data in the 2010’s is very different from that even 20 years ago? Think amount this prediction for a minute; ‘More data will be created in 2017 than the previous 5,000 years of humanity’. Or this one; ‘Amount of Data Created Annually to Reach 180 Zettabytes in 2025‘ (that’s 180 TRILLION gigabytes). Would you have even considered this possible in 1997 when the price of storage per gigabyte was around $175.00 USD? It’s now less than 2 cents.
Frankly we really weren’t that concerned about the data stored, especially in the [almost] absence of technologies such as big data processing or AI. Now it’s all about the data. Partly because of these ‘new’ technologies (amongst others), we are now equating the storage and failure to protect our data with transgressions against our privacy. They are not.
To compound the problem, the incredible rate of innovation in mobile devices has given us unprecedented functionality and convenience. While our options to self-educate on the impact of this convenience has likewise improved, the majority of us just can’t be bothered. We prefer instead to complain and blame others when things go wrong. We’d rather listen to those who are promising the world, instead of those who offer real solutions.
With GDPR and the new DPA now we don’t have to worry too much about this as data subjects, it’s the organisations who are responsible for putting control of our data back in our hands. But if you represent an organisation, you better know the difference between data security and data privacy.
There is no excuse, or lenience, for ignorance.
[If you liked this article, please share! Want more like it, subscribe!]