Welcome to another edition of Privacy Notes!
Data Privacy and Data Protection are two interconnected terms which are often used interchangeably, and wrongly so. In actual fact, both concepts are Siamese twins that cannot function without the other. Data Protection laws safeguard personal data privacy.
The term “Data Protection” has to do with the tools, mechanism and policies which are deployed by an organization (called a Data Controller in different jurisdictions) to secure the Personal Data it processes from access by a third party without a lawful basis for that access (lawful basis include – consent, contract, legal obligation etc.). Typically, an organization will designate a Data Protection Officer who will be responsible for the general compliance of the organization with the requirements of data protection laws such as identifying the personal data that must be protected and also preparing the policies to adequately respond to and mitigate any personal data breach that occurs.
Data Privacy relates to a person’s right to control how their personal data is used or processed. Data Privacy is a fundamental right and is recognised under different pieces of legislation including – the Universal Declaration of Human Rights, the International Covenant on Civil and Political Rights, and various other international covenants. The Constitution of the Federal Republic of Nigeria also recognises the right to privacy under section 37 and provides that “The Privacy of citizens, their homes, correspondence, telephone conversations and telegraphic communications is hereby guaranteed and protected”.
There are two main aspects to data privacy, first being the aspect of “Access Control”. A big part of ensuring data privacy is determining who should have authorized access to the data and who shouldn’t, this is where Access Control comes into play. It is recommended that organizations implement policies and procedures which serve to restrict and regulate access to personal data within their systems, even among employees. The second aspect of data privacy involves putting mechanisms into place that will prevent unauthorized access to the data. These mechanisms include Data encryption methods as well as passwords. It is further advisable that organizations implement procedures regulating the activities of their employees (for instance, directing that employee lock their systems when same are not in use) in order to prevent data from being read by anyone without proper authorization.
If Company A sells unique products via its eCommerce shop and it collects many pieces of data from its online shoppers such as: Email addresses and log-in details, Bank details, Shipping addresses etc. To ensure proper handling of personal data and to give individuals control over access to and sharing of their data, Company A does the following:
- It allows its customers to unsubscribe from its email marketing & newsletter list.
- It does not disclose its customers’ email addresses and purchases data to data brokers without getting its customers’ consent.
- It stores customers’ purchase information in accordance with data storage periods determined by applicable laws.
These efforts are all part of Company A’s data privacy strategy.
If Company A’s Data Protection Officer inform the executives to implement an information security policy in order to secure the personal data of data subject and the Company A effects same such effort is part of Company A’s data protection strategy.