The launch of the Data Privacy Periodic Table earlier this month was a roaring success. We’ve received some excellent feedback, and some people are even printing it off for their office walls!
Some of the comments we’ve received:
“Not seen anything like this before.”
“Very useful for the project I am working on right now.”
“Great initiative and a very innovative way of displaying what is a lot of information.”
But more importantly, we have also had some really constructive feedback and fascinating conversations on new “elements” to include, some to move and even debates on the worthiness of some elements’ inclusion.
All in all, it’s been a really exciting launch. We have now completed some updates to the Table and a new version is now available below. As always, some notes on what we have done are underneath, along with reasoning behind why some input has not been pursued.
This is however by no means a finished project. We still want your feedback as the data privacy world changes under our feet. Case law might mean that new central components of privacy may be demanded, or new independent bodies may be formed. And of course, new core legislation will always be likely. So submit comments below, or contact me directly.
Data Protection Authorities
We were asked by a number of readers to add DPAs to the Independent Bodies section on the far right hand side, but we have decided against it. Such terminology was deemed too GDPR-focused, which we are trying hard to avoid with this project.
Although, we have taken on board the sentiment of the comment and recognized we needed to add enforcement bodies alongside the Local Legislators that were already included. We have therefore added in Local Regulators, in place of the EU, on the basis that we needed to make room somehow; didn’t need two European organizations; and were wiser to include the European Data Protection Board instead.
It was suggested that we ought to add “Audit” to the Central Components. We have decided to add this instead to the key skills and traits of the most reliable privacy advisors, as “Auditing Skills”.
This is because performing an audit is one thing, but it is quite another to be constructive with it. We find that many external advisors conduct audits of organizations, only to leave them with a list of actions and criticisms, and offering no plan or input as to how to remedy them. This “ivory tower” syndrome is in our view irresponsible and unhelpful. We would rather emphasize the need for audits to be augmented with honest consultation and support, alongside a practicable plan of action based on technical and legal knowledge. Anyone can criticize, but few can (or will?) help organizations improve.
We received a very perceptive comment that we had included Background Checking in our section focused on legislation and practices that conflict with privacy if exercised irresponsibly, but that we had omitted KYC.
To many, these will appear synonymous. But in actual fact, background checking is primarily focused on employees whereas KYC is, as the name suggests, focused on customers. A good point that we have accommodated in our new version.
Reflection and the Right to be Informed
The element Reflection was the one that engendered the highest number of comments, which was understandable as we were trying to describe a great deal with a single word. The intention was to articulate the right for a subject to review and correct data held about them. “Rectification” was not enough as we wanted to encompass the right to review the data, beyond simply the right to Access. Reflection was where we ended up.
However, this has become a moot point. We have removed this element to replace it with the Right to be Informed – the right for a data subject to be told how their data will be used.
Clearly this is a controversial decision, as it suggests we are prioritising some Rights over others. To be clear, we are not doing this. We feel that Reflection / Rectification is sufficiently addressed by Accuracy and Availability in the fundamental principles of data protection for us to remove it in favour of R2BI, without the underlying sentiment of the Right disappearing. In addition, we are confined by the practicalities of this project – just as with the EU decision above, there is a set number of elements in the real periodic table (118) so we have to make hard choices of what survives and what does not!
Interestingly, the R2BI may be a universal right, but the way it manifests in various legal frameworks varies enormously. For instance, the GDPR states the right must be protected proactively through clear instructions in the privacy notices. In contrast, Canada’s PIPEDA simply states that such information should be available, with no stipulation of it being published proactively.
We also find in our client engagements that R2BI is confused with the right to Access. For the sake of clarity, the R2BI is concerned with understanding how data is used, while Access is simply a matter of a subject being able to view what data is held.
As always, let us know of any suggestions, disagreements or recommendations. This is an open and live project that actively seeks input and is regularly updated as things change.