Perhaps the most common misunderstanding we encounter in our work is the confusion of cyber-security and privacy that arises from the term 'data protection'. When you ask many business people about their data protection readiness, you commonly receive an answer that refers to their endpoint security or authentication controls; and when you go on to discuss risks, they think about breaches and, in particular, hacking.
None of this is wrong. Security risks to data, both from error and from malfeasance, continue to present a rising threat which is recognised in data protection regulations. All such laws globally place an obligation on those who collect, process, store and share personal data to keep it secure from breach, loss and damage.
However, there is much more to privacy – or data protection, depending on which word you prefer – than just security. It’s one standard of eight in Jamaica, one article of 99 in the GDPR. If you were to choose one word to sum up the purpose of data protection law, it wouldn’t be 'security'. Indeed, many countries have distinct cyber-security laws, and businesses that operate in regulated markets, such as financial services, are also subject to cyber-security requirements in those sectoral regulations.
The keyword in data protection is 'fairness'. As economies digitise and all of our interactions with governments and companies are mediated through data, we need to be confident that we will be treated fairly and equally. This is what regulators are tasked to ensure; this is where their attention will be focused and what they are looking to find if and when they investigate a controller’s processing.
It is to ensure fairness that data protection laws confer on individuals specific rights of access, rectification, erasure and objection over their personal data. By the same token it is in service of this goal that controllers are required to be transparent about their collection and processing, and to minimise what is collected, with whom it is shared and for how long it is kept. Fairness is the objective behind limiting the lawful reasons for processing to a specified list, and for placing restrictions on the use of automated decision-making and artificial intelligence in the context of personal data. And of course, to close the circle, it is also only fair that anyone to whom you provide your personal data should take proper care to secure it.