Data Privacy Myths: Part 1

Being informed about our privacy/data protection laws also involves being able to distinguish valid information about them from misinformation. It is important to avoid succumbing to the many myths currently in circulation. These myths include what the laws entail, whom they cover, and how long they have been in place. Many people believe these myths to be true. They have misled individuals to disclose information when they should not, and to refuse to disclose when they should. Some organisations have incurred unnecessary expenses acting on incorrect information about the laws. Therefore, there is great value to dispelling these myths.

Data Protection is a Recent Innovation

One common myth is that privacy/data protection only became a legal requirement with recently. In fact, Canada and Europe have had privacy/data protection laws for more than 30 years. Recent changes to incorporate the European Union’s General Data Protection Regulation (GDPR) included some new provisions, but most of the fundamental requirements for data protection were already included in earlier laws. These included the general rules around the collection, use and disclosure of personal data, as well as the individual rights to request access to and correction of personal data. Most of the recent changes relate to strengthening the powers and effectiveness of data protection regulators. From the viewpoint of public authorities and private businesses, very has little changed, other than there being even more incentive to comply with the existing requirements. If these organisations have already been complying with the previously law, they should not have had to incur any significant new costs or administrative burden to comply with data protection requirements.

Is data protection bad for business?

One of the biggest myths is that privacy/data protection is bad for business: the costs of compliance are onerous and provide no benefits. On the contrary, personal data is an asset with increasing monetary value. It is subject to being lost or stolen, entailing considerable short-term and long-term costs. The short-term costs involve the time and money spent to clean up after a breach. There is also the question of financial liability to the data subjects affected, as well as court costs. The long-term costs are loss of client confidence resulting in loss of business. Our privacy/data protection laws implement a common-sense approach to good data stewardship that reduces the risk of data breaches and minimises the costs of recovering from them. Privacy/data protection should be an integral component of organisational risk management, irrespective of the existence of data protection laws. There is nothing onerous about a requirement to provide adequate security for valuable assets. It is good business practice to collect only the data an organisation truly needs, to use it only for the purpose collected, and to destroy it after it is no longer required. Privacy/data protection is a sound business investment comparable to a prudent insurance policy.

A good privacy/data protection regime can attract new clients for individual businesses and the entire community. An internationally recognised data protection enforcement framework (strong laws and an effective regulator) can better facilitate cross border data transfers. The extensive publicity in recent years that data breaches have received has made the public sceptical about sharing their personal data. Businesses that develop reputations for sound data protection practices gain an edge in the marketplace against their competitors. Trust and confidence are essential for business success, particularly in the digital economy. Privacy/data protection instils confidence and create opportunities for businesses that use personal data.  In summary, privacy data protection actually is good for business in many ways.