January 28 is Data Privacy Day in the United States (we’re actually celebrating it all week), Canada, Nigeria, and Israel. In the EU, it’s Data Protection Day. Though data privacy and data protection are different things—both are connected to the same historic event: January 28, 1981, when the Council of Europe enacted Convention 108, a legally binding international treaty protecting individuals regarding the automatic processing of personal data.
For some perspective, that same year, IBM released its very first personal computer, the IBM Model 5150, and Sony introduced the 3.5” floppy drive. The internet would not exist for two more years. And the first deliberately malicious malware wouldn’t come into being for another five years. (*Image credit: https://www.computerhistory.org/timeline/1981/)
Clearly, the risks involved in sharing personal data online weren’t a concern for most people at that time. Yet experts in the European Union already understood the implications of data protection, cross-border data transfers, and automated decision making as they relate to people. Today, three decades later, you might think these concepts would have entered the mainstream—at least in the world of business. But companies continue to be faced with insufficient cybersecurity protocols and breaches costing millions of dollars.
Part of the problem is that data protection and data privacy are often used synonymously when they are in fact very, very different beasts that require very different mindsets and approaches to be managed effectively.
Data Privacy versus Data Protection: The Definitions
Data privacy refers to the use, storage, and sharing of individuals’ personal information. Maintaining data privacy—known as Information Security—involves following a set of practices built around the promise of not divulging any personal data to unauthorized entities. (See General Data Protection Regulation.)
But protecting data privacy is not the same as protecting the data itself. Even if you share data with no one, you have not protected that data from a data breach or other cyber-attack. Data protection is about shielding a company’s own data, their customers’ data, and their vendors’ data from being exposed or compromised.
Protecting privacy (outside of Europe, at least) doesn’t typically have a codified role or department in many small- to medium-size organizations. Consider this data from the US Privacy Shield program: Of the 6,000 organizations registered as of 2020, the largest percentage of data privacy points of contact listed were in the legal department (15.8%). Only 7.7% of the companies listed had a specific Information Security function, and in some cases, the privacy protection duties fell to Sales, HR, Marketing, or an admin function in the organization.
We'll continue exploring the origins of and current relevancy of Data Protection/Data Privacy Day in Part 2 with the difference between data protection and data privacy.
In the meantime, download our infographic for the Top 10 Things Every SaaS Company Should Do to Protect Its Data.