All About Data: The Laws
This is second article in the series and it talks about the laws governing the acquisition and use of data.
"The greater the power, the more dangerous the abuse." - Edmund Burke.
Data is Powerful.
With data, you have so much knowledge at your fingertips. While that has so much potential for positive things, using it the wrong way can be heavily catastrophic.
In my last article, I mentioned that you are a source of data. Data collected about individuals is called personal data.
Your name is data. Your age is data. Your height is data. Your gender is data. Your race is data. Your address is data. These and more provide demographic information about a person or a population.
Your blood type is data. Your genotype is data. Your health status is data. These and more provide medical information about a person or a population.
Your income is data. Your expense is data. Every transaction you carry out is data. These and more provide financial information about a person or a population.
I'll stop now, you get the point.
Having access to this data is very useful. For example, demographic data helps with understanding the population of a place. Medical data is needed for research purposes, family history purposes and for developing technologies to aid treatment. Financial data assists with fraud prevention and monitoring transactions.
The moment this data is breached, it can be used for crime-related activities, the data is no longer confidential, your information is exposed to a third party, and the wrong people have access to it.
Yes, it's a terrible situation.
Let's look at this scenario. You have a diary where you write your deepest darkest secrets and express your vulnerable thoughts. You go to school the next day and find out that that one person you don't like got his hands on it, and now he knows everything about you. How would you feel about that? Even worse, what would he do with that information? Well, that brings me to my next topic.
Data Protection Laws
These are the laws that guide the acquisition, regulation, storage, and use of personal data. Each country or region has their own set of data protection or data privacy laws. The two most common ones are the European Union's (EU) General Data Protection Regulation (GDPR), and the UK's Data Protection Act (DPA).
They ensure that the power of data collected from people is harnessed towards positive and legitimate reasons only and safe from abuse.
You can also see Data Protection Laws as the lock that protects the information contained in your diary from prying and unwanted eyes. You can be assured that your secrets are safe and protected.
General Data Protection Regulation
This is the toughest data privacy law in the world, and it applies to the data collected from people in the EU member countries. This law came into effect on May 28th, 2018, and there are heavy penalties for violating the law.
There are six principles governing data protection in GDPR, and they are:
Lawfulness, fairness, and transparency: There should be solid and legitimate reasons for collecting the data, and it must not be used wrongly, or in a way that will negatively impact the person.
Purpose Limitations: Data should be collected for a given and clear purpose, and not used for reasons beyond the stated purpose.
Adequacy and necessity: The reason for collecting the data, and the use of the data, should be clearly stated. Data without any need should not be collected.
Accuracy: Appropriate measures must be followed to ensure that the data is up to date, and to update it if it is inaccurate.
Storage duration: The data should not be kept for a longer period than needed. It must also be well deleted when it is no longer needed or becomes outdated.
Integrity and confidentiality: Data should be processed in secure ways that ensure protection against illegal processing, loss, damage, or destruction and should be stored safely and securely.
Data Protection Act
The 2018 Data Protection Act is the UK's application of the GDPR. It was put into effect on May 25th, 2018, and replaced the 1998 DPA. The act was further amended in January 2021 by regulations under the EU (Withdrawal) act 2018. This is to reflect the UK's status outside the EU, post Brexit.
This act lays down the rules for how the personal data of individuals in the UK is collected and used by organizations, businesses, or even the government.
There are eight principles guiding the DPA. The first six are similar to GDPR, in the same order, with some minor differences under GDPR.
Lawfulness, fairness, and transparency: The law is the same, except that under GDPR, performing criminal record investigations on employees must be justified by the law.
Purpose limitations: The law is the same, except that under GDPR, genetic and biometric data are considered sensitive data. Hence, it can only be used for necessary purposes.
Adequacy and necessity: The law is the same, except that under GDPR, privacy notices or guides on "how we use your information", should be more explicit. This means that beyond giving consent to your data being collected, the individual must be informed of exactly how the data will be used.
Accuracy: The law is the same, with no differences under GDPR.
Storage duration: The law is the same, with no differences under GDPR.
Integrity and confidentiality: The law is the same, except that under GDPR, an individual can request the removal of their data or online content from an organization's database. They can also request for it to be transferred under the Data Portability Act.
Secured: This requires that a physical and technical security system should be implemented to keep personal information safe and secure. Your staff can also be trained in data protection and cybersecurity. Under GDPR, companies that process over 5000 personal records, and have over 250 employees, must have a Data Protection Officer (DPO) to ensure the security of the personal data of the company's clients.
Not movable out of the European Economic Area (EEA): This means that data should not be moved to countries that do not have the same level of data protection or countries that are not specified. Under GDPR, customers must provide direct consent to their personal information being moved outside the EEA. GDPR can still hold a company accountable even after that, which means that organizations should consider the impact of GDPR on data transfer.
Data Protection Laws From Some Other Countries
Besides the EU's GDPR and the UK's DPA, other countries have their data protection laws. The level of toughness and regulations vary, but the purpose of the laws remains the same — protecting the personal data of individuals. Below are some countries and their data protection laws.
| Country | Law |
| 1. Nigeria | Nigeria Data Protection Regulation (NDPR). It was issued by the National Information Technology Development Agency (NITDA) in 2019 and it is the principal law guiding data regulation in Nigeria. In 2020, a framework with respect to the NDPR, and guidelines for the management of personal data by institutions in Nigeria was issued. |
| 2. Australia | Australia Privacy Act (APA). It was put into effect in February 2018. An amendment regarding notifying the government of harmful data breaches was made and companies can be fined up to 1.8 Million AUD if such breaches are not reported. |
| 3. Brazil | Lei Geral de Proteçao de Dados (LGPD) which means 'Law for the Protection of Personal Data'. This law came into effect in September 2020 and is based on GDPR, with similarities in scope and application, and minor differences in penalties for non-compliance. |
| 4. Canada | Digital Charter Implementation Act (DCIA). It was put into effect on 17th November, 2018, and it has similarities with the GDPR. A primary difference is a penalty rate of 5% of a company's global revenue or $25 million (or whichever is higher) for grave offences, whereas GDPR has a rate of 4%. |
| 5. China | Personal Information Protection Law (PIPL). It came into effect in November 2021. This law applies to companies that perform business operations in China. A fine of 50 million CNY (about 6 million EUR), or 5% of global annual turnover, can be placed on companies that violate the law. Additionally, personal fines of up to 1 million CNY can be added for each individual found responsible. |
| 6. India | Personal Data Protection Bill (PDPB). This law was introduced to the Indian parliament in December 2019 but had to be withdrawn in August 2022. A new law, Digital Personal Data Protection Bill, is in the works. |
You can read more laws on this blog.
Benefits of Data Protection Laws
We've gone on and on about data protection laws.
I'm sure you have a pretty good idea of its usefulness at this point, but let me provide more for you.
Data protection laws prevent individuals and organizations from accessing sensitive personal data.
They limit a company's freedom to share its customer's data.
They provide justice for people who had their data misused, hereby deterring the act.
It protects people that do not know about data privacy compliance from having their data wrongly used.
They prevent data breaches and hold companies accountable.
They ensure that your data is used for legitimate reasons and in the way you expect.
Conclusion
In summary, data is powerful. Even more so, data about individuals or personal data. To prevent this data from being abused, wrongly used or accessed by the wrong people, there are laws put in place by countries or regions.
Guardians of your Data..., if you will.
My punning skill is terrible, I know.
The two most popular laws are the EU's GDPR law and the UK's DPA act. You have a right to know exactly how your data should be used, and if it should be used. Failure to abide by these laws breeds consequences that should not be overlooked.