Today we’re launching our Data Privacy Periodic Table – the first-ever collection of the key “elements” of the data privacy world, regularly updated as new elements come to light. It is intended to help privacy professionals better understand the industry in which they work, and shed light on its often confusing terminology and how various pieces inter-relate.

We have categorized the elements mimicking the traits of the categories in the original scientific version. For example, the far right of the original periodic table is reserved for the Noble gases – stable, inert, and unreactive. This seemed an ideal match for the independent legislative or regulatory bodies. Similarly, the column dedicated to the Alkali metals on the far left, with their characteristic volatility, was a fitting location for the universal rights of the data subject, as if meddled with, both are likely to cause an explosion!

We have created a table on the main Data Privacy Periodic Table page that sets out why we have categorized the elements as we have.

Also, below, we have added some additional explanatory notes to explain our thinking for various elements’ inclusion and position.

We’d welcome any comments, or suggestions for new additions – contact me here for any recommendations or drop a comment below.

We also plan to release new updates to this table on a regular basis as the data privacy world changes. Each time we update the table, we will publish similar blogs, all of which are accessible off the main Periodic Table page.


The location usually reserved for Hydrogen was the perfect place to put Ethics. It is the spot for the first element in the atomic order and is also the most common element in the universe.

This high status for ethics within data privacy is no exaggeration. After all, privacy legislation is the codification of what society deems to be the ethical and appropriate way in which personal data can be processed. Like Hydrogen, ethics is the most fundamental, original, and abundant element of data privacy.


This element, number 21, is expressed in inverted commas for a simple reason: it is impossible. It is a frustrating myth that continues to revolve around data privacy that compliance can be achieved. It cannot, at least not in the way that businesses commonly understand it i.e. a one-off demonstration of adherence to certain rules.

Data privacy regulations are not designed for “single point in time” adherence. They require ongoing efforts and constant vigilance to ensure that data subjects’ rights are protected. A business’ data and processes are far too fluid for any assertion that adherence now means anything for adherence in the future, making claims of “compliance” utterly empty – and so-called certifications of compliance utterly worthless.

We discuss this in more detail our Myths and Fairy Tales of GDPR which discusses more of our thoughts on this and other common GDPR misunderstandings.

The_9_Myths_of_GDPRThe 9 Myths & Fairy Tales of GDPR  The 9 most dangerous misperceptions that undermine organizations’ GDPR observance and strategies   Download 
 ePrivacy Regulation AND ePrivacy Directive

We have included the ePrivacy Regulation in the future developments section (and recent reports suggest it will stay there for some time), but have also included the ePrivacy Directive in the Core Legislation section as until the Regulation is passed, the 2002 Directive is in force and very much applicable.

Elements 73-78 list end-users, employees, customers, suppliers, marketing databases, and partners. Collectively, these could be categorized simply as “data subjects”. But this would ignore the unique ways in which each type of data subject’s personal information needs to be addressed, handled, and treated. The data you will likely have on your employees, the permissions you may have, and the nature of its processing differs enormously from how you may collect, use and store your databases of marketing targets.


The data privacy ramifications of Brexit are critical, most notably whether the UK is officially an adequate state in the eyes of the EU. But this exact scenario could be repeated in other EU countries. Italy, the Netherlands and France have all had robust parliamentary discussions over whether they should follow the UK and leave the EU. The inclusion of this “element” emphasizes the need for privacy professionals to be as up to date as possible on geo-politics and its impact on data privacy, in addition to understanding the law already in force.

Japan-EU adequacy

The announcement of Japan and the EU’s agreement of “reciprocal adequacy” is the latest addition to this section. It means that they each recognize each other’s data protection regimes as “equivalent”, and therefore agree that personal data will be to flow between them once the law comes into effect later this year. We have written a full blog on this announcement here.


This is a lesser-known data privacy news cycle, but potentially wide-reaching in its impact. ICANN coordinates the naming conventions of the internet and works to maintain its security, stability, and interoperability. Its WHOIS database is a free service that allows uses to check the ownership of domain names.

This enormous repository of personal data is the subject of a 15-year discussion over data privacy, which has glowed white-hot in the wake of GDPR. Questions have repeatedly arisen over the nature of data WHOIS collects, how it is made available and who to, and whether the data required by WHOIS is more than strictly necessary (and therefore contrary to the data minimization element of GDPR and other privacy legislation). These have in turn led to ICANN’s plans for improved privacy being consistently rejected by European legislators. The story is ongoing (August saw the third plan rejected) and likely will be for some time.

Artificial Intelligence and Societal Values

These last two additions to the “Future developments” section are the two areas of progression that we feel will most influence the future of data privacy in the short and medium-term. As mentioned above in the Ethics section, legislation is typically the codification of society’s ethical values at that time. But what if those values change? Realistically, data privacy is not going to become a less inflammatory issue, but it might well become even more volatile. This would potentially result in legislation becoming more punitive, wider-reaching, and providing a deeper protection of data subjects.

Probably a more imminent driver for legislative change is developments in how we use technology to process, manipulate and optimize our data. The most oft-cited example of this is of course Artificial Intelligence. It is a perfect example of a field of technology where there is dramatically more potential ahead of us than the experience behind us. This in turn means that current privacy legislation will be rapidly found wanting, inadequate and out-of-date, just as it has been before.

The GDPR was one of the first new legislative frameworks to be built in direct response to advancing technology. Previous data privacy laws could not accommodate the way in which data collection and use changed. Fast-moving and ambitious fields of data science such as artificial intelligence will inevitably trigger plenty more new introductions. And taking nearly a decade to implement them, as in the case of GDPR, simply won’t be an option.

More updates to the Data Privacy Periodic Table are available here.