The Data Privacy Periodic Table

4 minute read

The Data Privacy Periodic Table

Topics: Data Privacy

By Sophie Chase-Borthwick on 3 September 2018

Today we’re launching our Data Privacy Periodic Table – the first ever collection of the key “elements” of the data privacy world, regularly updated as new elements come to light. It is intended to help privacy professionals better understand the industry in which they work, and shed light on its often confusing terminology and how various pieces inter-relate.


We have categorised the elements mimicking the traits of the categories in the original scientific version. For example, the far right of the original periodic table is reserved for the Noble gases – stable, inert and unreactive. This seemed an ideal match for the independent legislative or regulatory bodies. Similarly, the column dedicated to the Alkali metals on the far left, with their characteristic volatility, was a fitting location for the universal rights of the data subject, as if meddled with, both are likely to cause an explosion!


We have created a table on the main Data Privacy Periodic Table page that sets out why we have categorised the elements as we have.


Also, below, we have added some additional explanatory notes to explain our thinking for various elements’ inclusion and position.


We’d welcome any comments, or suggestions for new additions – contact me here for any recommendations or drop a comment below.


We also plan to release new updates of this table on a regular basis as the data privacy world changes. Each time we update the table, we will publish similar blogs, all of which are accessible off the main Periodic Table page.

New call-to-action

Explanatory notes:



The location usually reserved for Hydrogen was the perfect place to put Ethics. It is the spot for the first element in the atomic order, and is also the most common element in the universe.


This high status for ethics within data privacy is no exaggeration. After all, privacy legislation is the codification of what society deems to be the ethical and appropriate way in which personal data can be processed. Like Hydrogen, ethics is the most fundamental, original and abundant element of data privacy.


This element, number 21, is expressed in inverted commas for a simple reason: it is impossible. It is a frustrating myth that continues to revolve around data privacy that compliance can be achieved. It cannot, at least not in the way that businesses commonly understand it i.e. a one-off demonstration of adherence to certain rules.


Data privacy regulations are not designed for “single point in time” adherence. They require ongoing efforts and constant vigilance to ensure that data subjects’ rights are protected. A business’ data and processes are far too fluid for any assertion that adherence now means anything for adherence in the future, making claims of “compliance” utterly empty – and so-called certifications of compliance utterly worthless.


We discuss this in more detail our Myths and Fairy Tales of GDPR – download it here to read more about our thoughts on this and other GDPR misunderstandings.


 ePrivacy Regulation AND ePrivacy Directive

We have included the ePrivacy Regulation in the future developments section (and recent reports suggest it will stay there for some time), but have also included the ePrivacy Directive in the Core Legislation section as until the Regulation is passed, the 2002 Directive is in force and very much applicable.

Data subjects
It was tempting to simply include data subjects as a single element, but we felt this was not an accurate representation of the mindset businesses ought to have.


Elements 73-78 list end users, employees, customers, suppliers, marketing databases and partners. Collectively, these could be categorised simply as “data subjects”. But this would ignore the unique ways in which each type of data subject’s personal information needs to be addressed, handled and treated. The data you will likely have on your employees, the permissions you may have and the nature of its processing differs enormously to how you may collect, use and store your databases of marketing targets.



The data privacy ramifications of Brexit are critical, most notably whether the UK is officially an adequate state in the eyes of the EU. But this exact scenario could be repeated in other EU countries. Italy, the Netherlands and France have all had robust parliamentary discussions over whether they should follow the UK and leave the EU. The inclusion of this “element” emphasises the need for privacy professionals to be as up to date as possible on geo-politics and its impact on data privacy, in addition to understanding the law already in force.



Japan-EU adequacy

The announcement of Japan and the EU’s agreement of “reciprocal adequacy” is the latest addition to this section. It means that they each recognise each other’s data protection regimes as “equivalent”, and therefore agree that personal data will be to flow between them once the law comes into effect later this year. We have written a full blog on this announcement here.




This is a lesser known data privacy news cycle, but potentially wide-reaching in its impact. ICANN coordinates the naming conventions of the internet and works to maintain its security, stability and interoperability. Its WHOIS database is a free service that allows uses to check the ownership of domain names.
This enormous repository of personal data is the subject of a 15-year discussion over data privacy, which has glowed white-hot in the wake of GDPR. Questions have repeatedly arisen over the nature of data WHOIS collects, how it is made available and who to, and whether the data required by WHOIS is more than strictly necessary (and therefore contrary to the data minimization element of GDPR and other privacy legislation). These have in turn led to ICANN’s plans for improved privacy being consistently rejected by European legislators. The story is ongoing (August saw the third plan rejected) and likely will be for some time.



Artificial Intelligence and Societal Values

These last two additions to the “Future developments” section are the two areas of progression that we feel will most influence the future of data privacy in the short and medium term. As mentioned above in the Ethics section, legislation is typically the codification of society’s ethical values at that time. But what if those values change? Realistically, data privacy is not going to become a less inflammatory issue, but it might well become even more volatile. This would potentially result in legislation becoming more punitive, wider-reaching and providing a deeper protection of data subjects.
Probably a more imminent driver for legislative change is developments in how we use technology to process, manipulate and optimise our data. The most oft-cited example of this is of course Artificial Intelligence. It is a perfect example of a field of technology where there is dramatically more potential ahead of us than experience behind us. This in turn means that current privacy legislation will be rapidly found wanting, inadequate and out-of-date, just as it has been before.
The GDPR was one of the first new legislative frameworks to be built in direct response to advancing technology. Previous data privacy laws could not accommodate the way in which data collection and use changed. Fast-moving and ambitious fields of data science such as artificial intelligence will inevitably trigger plenty more new introductions. And taking nearly a decade to implement them, as in the case of GDPR, simply won’t be an option.

More updates to the Data Privacy Periodic Table are available here.