The concept of regulating data and ensuring data privacy is not a new idea – the financial services and health care industries have been managing data privacy for decades. However, in the era of Big Data and the immense power and wealth that can be derived from maximizing the value of information, spreading the responsibility of properly managing and protecting data to a broader set of entities was inevitable.
Proliferating regulatory mandates are extending their reach into market areas historically not governed by regulatory rigor. California’s Consumer Protection Act (CCPA), New York’s SHIELD Act, Washington state’s Privacy Act and the European Union’s General Data Protection Regulation (GDPR) are some of the recent mandates that provide expanded rights for individuals or consumers to establish broader ownership of their data. The organizations that process that data are charged to not only protect it more rigorously, but also provide transparency in terms of what they are doing with it.
At its core, data privacy is all about the proper handling of data or information, whether it is properly obtained, whether appropriate notice is given to the data subjects on the use of their data, as well as the regulatory requirements placed around data. Data privacy regulations place burdens on organizations that collect data to properly manage and protect data in ways not seen in the past.
The new regulations passed in recent years have introduced new concepts or terms that need to be understood by businesses and individuals alike. Ultimately, seeking guidance from attorneys well-versed in data privacy and data security will be your best tool for understanding these terms and how they apply to you or your business. As a primer, the list of terms below can get you on the path to better understanding the new lexicon of data privacy for the 2020s.
Consent: In the privacy context, consent is the ability for a data subject to agree to or decline the collection and processing of its personal data. Contemporary laws are beginning to require explicit consent allowing for the collection of personal data.
Data Broker: A data broker is any entity that collects and sells individuals’ personal data whether or not a direct relationship exists with the data subject. The term is utilized in the GDPR but has made its way into U.S. regulatory law, with Vermont and California incorporating the term into its privacy laws.
Data Controller: Mainstreamed by the GDPR, a data controller is an entity that determines the purposes for which data is collected and the mechanism by which the data is collected and processed.
Data Localization: Data localization is a requirement in certain regulations that requires the captured data from data subjects is physically stored in the same country that it originated from. This concept is seen in the GDPR, China’s Cybersecurity Law (CSL), and Brazil’s Security Law.
Data Portability: Data portability is the concept of allowing a data subject to take information collected about them by a business or data controller and move it to another business or service. This idea is seen in the GDPR as well as California’s CCPA.
Data Privacy Agreement: A data privacy agreement is a public statement or policy that discloses all the ways a business or entity acquires, uses, shares, discloses and manages private or personal data.
Data Processing Agreement: A data processing agreement is a binding contract defining the rights and obligations of data controllers and data processors with respect to the protection of personal data.
Data Processor: Also a term mainstreamed by GDPR, a data processor is an organization that collects, processes, stores and transmits data on behalf of a data controller. A data processor and a data controller can be the same entity though a data processor may also be a third party. The data controller is ultimately responsible for the data it collects.
Data Protection Officer: A Data Protection Officer (DPO) is someone who is given formal responsibility for data protection compliance within a business. Some laws require businesses to appoint a DPO to oversee an organization’s data privacy program.
Data Subject: A data subject is an individual that a piece or set of data applies to. In general, the data needs to be clearly tied to the individual for data protection and data privacy rules to apply.
Right to Be Forgotten: An individual’s right to have their personal data deleted by an organization who is possessing or controlling that data. This is also referred as the Right to Deletion.
To better understand how these terms influence a strong regulatory compliance strategy, reach out and schedule a Cymetric demo.