Tuesday 28 January 2014. Data Protection Day. A Day to promote citizen knowledge of their data-protection rights and responsibilities. The moot point here is: what do citizens ALREADY know about data protection. In general, quite a bit. Let’s look at some of them.
Most people are familiar with the Spanish Data Protection Law of 1999 (Ley Orgánica de Protección de Datos, usually shortened to LOPD) and it has almost become a household word in daily conversations.
- The data subject, purpose and remit of the law are all known and even some of its security measures.
- The Spanish Data-Protection Agency (Agencia de Protección de Datos) is also widely known among the citizens.
- It is now commonplace for data-collection clauses to be included in daily activities, such as hotel check-ins, participation in promotion media or promotions and raffles. In some cases these clauses are even written in letters the same size as the rest of the document, with the offer of “Tick this box if you don’t want us to use your data for other purposes”. What is more, these clauses are even read and the boxes ticked
- It is not rare for the media to run stories about data-protection shortfalls, sometimes perpetrated by the users themselves: photos uploaded to social networking sites, password theft, private videos that go viral on email and WhatsApp, for example, crop up in the press every month. Citizen appreciation of these news items denotes awareness that data protection was not properly applied in some way.
In fact, we have lately seen cases of where the Data Protection Law is wrongly invoked to protect information that does not involve personal data at all. It is a clear mistake, but at least it shows just how wide knowledge of this law has become nowadays.
There has therefore definitively been a learning process on the basis of past experience. Or rather on the basis of past mistakes (own and other’s), the incidents that arise and lessons learnt from the fall-out of these mistakes: company fines, shaming of persons, emotional break-ups …
In light of all the above, I would claim that the data protection culture is now well consolidated and healthy, even though we citizens are not always rigorous in applying it to ourselves and our data on a day-to-day basis.
Professional data-protection activities are also buoyant. The development of concepts like “privacy-by-design”, the successive revisions of national privacy laws and the regulations developing these laws (there have now been two laws and two regulations), spadework for the development of a Europe-wide data protection regulation or the information-privacy requirements enforced by companies on their cloud service providers are perhaps the buzz-word themes on this data protection day.
Not all the news is good, however. There is a (tendentious?) trend of confusing “data protection” with “security”. Security objectives, especially those of information security, embrace information confidentiality, which in turn takes into account data privacy needs. But there is more information in companies, not only personal data; and confidentiality is a much broader concept than privacy, even though many organizations have indeed moved on from data protection to information-security work.
Some stakeholders also try to boil down data protection too much. Data protection is not only observance of the LOPD; neither is this observance guaranteed by the simple holding of documents (especially if they are not enforced) or the obtaining of a “Compliance Certificate.” Real data protection is an ongoing endeavor; it cannot be built up in one week or one month or simply by buying IT software or a set of Data-Privacy documents. People who speak along those lines are either confused or are trying to pull the wool over people’s eyes.
Allow me a final conclusion or tip. Take care of Information Security as a whole; work on obtaining, keeping and improving it, whether it is personal information or not. That way you kill two birds with one stone: information security and data privacy. Because if you lose a list of company clients you might be fined. But you might also lose some customers. It seems daft to worry only about the fine.
Author: Mariano Benito
CISO Secure e-Solutions
Las opiniones vertidas por el autor son enteramente suyas y no siempre representan la opinión de GMV
The author’s views are entirely his own and may not reflect the views of GMV