Guide to Data Protection and Information Privacy

Improve Your Organisation’s Security Posture

Book a demo

office,building.,skyscraper.,exterior,of,building

What Is Data Protection and Information Privacy?

Data protection safeguards your data’s privacy, availability, and integrity by adopting various data protection strategies and processes.

Privacy is crucial to establishing rapport between people and organisations, but it’s really about safeguarding fundamental rights. A good strategy can help prevent data loss, theft, or corruption and minimise damage if a breach or disaster occurs. An organisation that handles, stores, or collects sensitive data must develop a data protection strategy.

Data protection should be considered at the design phase of any system, service, product, or process and throughout its lifetime.

Different Information Types

Personal information can be divided into various categories, all of which may raise privacy concerns. These are:

  • Television
    • Refers to controlling who can see and collect one’s personal information. For example, a third party can find out what IP TV programs someone watches by tracking their Internet usage.
  • Educational
    • Information such as a person’s educational qualifications counts as personal information that could impact their employment status.
  • Financial
    • Financial accounts, such as account balances, stock or fund holdings, outstanding debts, and purchases, may be sensitive information about a person. Criminals may gain access to this information and use it to commit identity theft or fraud.
  • Internet
    • There are two prominent issues with regards to internet privacy: whether third parties are able to access and read someone’s email without their consent or whether they are able to continue tracking the websites that someone has visited.
  • Locational
    • A person’s mobility trace may reveal a wide range of professional and personal information, including whether the person is a medical patient, has recently undergone surgery, has a disability, uses a wheelchair, or has recently visited an office or professional setting, among many more.
  • Medical
    • The information in a person’s medical records may be sensitive and confidential, and people may wish to keep it private. For example, they may be worried that the information would affect their health insurance or their ability to find employment.
  • Political
    • Information such as a person’s political beliefs count as personal information that could impact their employment status if readily available.
Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Data Protection Principles

Fundamentally, the principles of data protection help organisations protect data and make it readily available under any circumstances to the individual. Data protection refers to both data backup operations and business continuity/disaster recovery (BCDR), such as:

  • Data Lifecycle Management – This entails moving critical data to online and offline storage through an automation process.
  • Information Lifecycle Management – Malware and virus attacks, machine failure or facility outages, and user and application errors are all threats to the information assets of an organisation. These assets can be protected through information lifecycle management, a comprehensive strategy that includes valuing, cataloguing, and safeguarding information.

What Is Personal Data?

Personal data is referred to as any information that can relate to an identifiable or identified living individual. A person can be identified by piecing together various bits of information, which, when collected together, constitute personal data.

Some personal data examples include; first names and last names, addresses, an identifiable email address (this could be firstname.lastname@company.com), location data, and IP (internet protocol) address.

Organisations usually rely on personal data for day-to-day activities.

The ICO states that:

“By itself, the name John Smith may not always be personal data because there are many individuals with that name. However, where the name is combined with other information (such as an address, a place of work, or a telephone number) this will usually be sufficient to clearly identify one individual.”

The ICO also makes the point that names are not necessarily the only information required to identify an individual:

“Simply because you do not know the name of an individual does not mean you cannot identify [them]. Many of us do not know the names of all our neighbours, but we are still able to identify them.”

What Is Data Privacy?

Data privacy refers to how sensitive and important data should be collected or handled. Personal Health Information (PHI) and Personally Identifiable Information (PII) are two examples of data subject to data privacy laws. This category includes financial information, medical records, social security or ID numbers, names, birthdates, and contact information.

Sensitive data should only be accessible to authorised parties, so data privacy helps ensure that criminals cannot maliciously use data and ensures that organisations meet regulatory requirements.

The majority of online users want to control or prevent certain types of personal data collection, just as someone might wish to exclude people from a private conversation.

Businesses must make data privacy a top priority. Non-compliance with data privacy regulations can lead to significant losses. Think of lawsuits, significant financial penalties, and brand damage.

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Trusted by companies everywhere
  • Simple and easy to use
  • Designed for ISO 27001 success
  • Saves you time and money
Book your demo
img

What Is Data Processing?

Everything you do with data is considered processing; collecting, storing, recording, analysing, combining, disclosing, or deleting it, among other things.

Any operation on data is referred to as data processing. Because raw data isn’t ready for analytics, business intelligence, reporting, or machine learning, it must be aggregated, altered, enriched, filtered, and cleaned.

Organisations need to process data in order to create better business strategies and improve their competitive advantage.

What Is a Data Controller?

The ‘why’ and ‘how’ personal data is processed is determined by the data controller. Ultimately data controllers are the key decision-makers in determining the reason and purpose for data collection and the method and means for any data processing.

Data controllers could be:

  • Any private company or other legal entity – including an incorporated association, an incorporated partnership, or a public authority – is included.
  • A person working on their own—such as a partner in an unincorporated firm, a lone entrepreneur, or any self-employed professional.

What Is a Data Processor?

A data processor is a person, public authority, agency, or other body that processes personal data on the controller’s behalf.

A data processor acts on behalf of the controller and under their authority. By doing so, they serve the controller’s interests rather than their own.

In certain situations, an entity can be a data controller, a data processor, or both.

Machines that process data, such as calculators or computers, are considered data processors. Cloud service providers are also now categorised as data processors. A third-party data processor doesn’t own or control the data they process. The data can’t be altered to change the purpose for which it is used. If you’re processing personal data, you will be a data processor.

What Is a Data Subject?

An individual who is the subject of particular personal data is referred to as a data subject or data subjects.

What Does Your Organisation Need to Do?

There is no single solution that works for every company. Data protection regulations don’t set many strict rules; instead, they take a risk-based approach, adhering to some key principles. It is versatile and can be used in a variety of organisations and situations; therefore, it does not inhibit innovative approaches.

However, this flexibility does mean that you must consider – and be accountable for – how you utilise personal information. There are often multiple approaches to fulfilling your obligations, depending on exactly why and how you utilise the data.

You may determine what answers are best for your organisation, but you must be able to justify them. The accountability principle of data protection law is a critical aspect.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

What Is the Data Protection Act 2018?

Organisations, businesses, and the government must adhere to the Data Protection Act 2018 when handling personal information. The Data Protection Act 2018 replaced and updated the Data Protection Act 1998 and became effective on May 25th, 2018.

The DPA is the UK’s enshrinement of the General Data Protection Regulation (more on GDPR further within the article below) into UK law. To simply put it:

  • Data Protection Act is law.
  • GDPR is a regulation which individual countries interpret and enshrine within their own laws.

Strict rules called ‘data protection principles‘ govern how personal information is used. Those involved in collecting and using data must abide by the following stringent rules:

  • Fairly, lawfully, and transparently used.
  • Used for purposes specified and explicit.
  • Used in a way that is adequate, pertinent, and limited to those required.
  • It is vital to keep information accurate and up to date, where necessary.
  • Kept for no longer than is needed.
  • Protected against unlawful or unauthorised processing, destruction, access, loss, or damage, and processed in a manner that ensures appropriate security.

The more sensitive the information, the more legal protection there is. This information will be; race, ethnicity, political beliefs, religious beliefs, membership of trade union, genetics, biometrics for identification, health status, and sexual orientation.

What Is The General Data Protection Regulation?

The General Data Protection Regulation (GDPR) is the world’s most stringent privacy and data security regulation. Although it was developed and approved by the European Union (EU), organisations worldwide must comply if they collect or utilise data about EU residents.

The GDPR went into effect on May 25th, 2018. Those who don’t adhere to the privacy and security standards established by the GDPR could face significant fines.

The GDPR replaces the EU Data Protection Directive of 1995. According to the new directive, businesses must be more transparent and provide data subjects with greater privacy protections. When a serious data breach has occurred, the company must notify all affected parties and the supervising authority within 72 hours.

What is UK GDPR?

Even though the GDPR is enshrined within UK law as the DPA since breaking away from the EU, UK-GDPR and EU-GDPR are separate and distinct regulations. Whilst regulations are currently identical, since Brexit, the UK is free to amend UK-GDPR regulation as Parliament deems necessary.

A controller or processor based outside the UK must comply with the UK GDPR if their processing relates to individuals in the UK.

ISO 27701 and GDPR

ISO 27701 is an extension of ISO 27001 (more on that below), the latest update in international privacy and information management standards.

The purpose of both GDPR and ISO 27701 is to establish ethical data privacy standards to protect consumers. They work together and complement each other in order to achieve the same goals.

Here is a summary of what they have in common:

See how we can help you

Book a tailored hands-on session
based on your needs and goals
Book your demo

We can’t think of any company whose service can hold a candle to ISMS.online.
Vivian Kroner
ISO 27001, 27701 and GDPR lead implementer Aperian Global
100% of our users pass certification first time
Book your demo

Other Data Protection Laws & Acts and Information Privacy Law

Various data protection laws and data from around the globe are found in the table below.

LawsArea of Jurisdiction
General Personal Data Protection Law (Also known as LGPD and Lei Geral de Proteção de Dados Pessoais)Brazil
California Consumer Privacy Act (CCPA)California
Privacy ActCanada
Privacy Act 1988Australia
Personal Data Protection Bill 2019India
China Cyber Security Law (CCSL)China
Personal Information Protection Law (PIPL)China
Data Protection Act, 2012Ghana
Personal Data Protection Act 2012Singapore
Republic Act No. 10173: Data Privacy Act of 2012Philippines
The Russian Federal Law on Personal Data (No. 152-FZ)Russia
Personal Data Protection Law (PDPL)Bahrain

How Does Data Protection and Information Privacy Work Alongside Information Security?

Article 32 of GDPR sets out what’s required when it comes to ensuring the security of personal data processing.

The regulation requires you to take ‘appropriate technical and organisational measures to address the risks you face. It also describes some of the typical measures in this regard, including:

  • Pseudonymisation and encryption of personal data
    • If data falls into the wrong hands, it cannot be exploited.
  • Confidentiality, integrity, availability and resilience
    • Aimed at your systems and services.
  • Data restoration
    • It would include the development of tools and procedures to restore personal data if a security breach occurs (systems backup would be one aspect of this).

ISO 27001 and Data Protection

ISO 27001 covers these aspects as well. You must perform extensive risk assessments to identify the dangers your company faces. That’s exactly what you need to figure out as ‘appropriate’ security measures under GDPR.

It establishes standards for when and how to put data encryption to work, as well as for ensuring the confidentiality and availability of your data. It also defines what is required in terms of “business continuity management,” thereby covering the GDPR requirement to implement data restoration and availability measures.

If you meet and maintain ISO 27001 compliance, you effectively have your GDPR data processing security requirements covered, thanks to stress testing through to staff training.

How ISMS.online Helps With Data Protection

Whether you’re just beginning to look into data privacy or an expert seeking to combine multiple regulations and standards, our features are simple to utilise. You will get where you want to be right away.

Our PIMS solution simplifies data mapping. It is simple to record and review it all and to add your organisation’s details to our pre-configured dynamic Records of Processing Activity tool.

An effective PIMS requires managing risk. To assist with every phase of risk assessment and management, we have created a built-in risk bank and other practical tools.

Whether you’re working on data privacy standards or regulations, you must demonstrate your ability to handle Data Subject Rights Requests (DRR). Our secure DRR space keeps everything in one place, helping you to report and gain insight automatically.

Find out more by booking a hands-on demo.

See our platform
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

Assured Results Method
100% ISO 27001 success

Your simple, practical, time-saving path to first-time ISO 27001 compliance or certification

Book your demo

Explore ISMS.online's platform with a self-guided tour - Start Now