Introduction To Privacy #1
Module 1:??????????Foundations
Lesson: ????????????Thinking Styles and What is a Data Subject?
Introduction
Now Introductions are out of the way let’s move on.
Before we can get into more detailed discussions of using Privacy and Data Protection concepts in the real world, I need to make sure we’re all on the same starting page. To do that there’s a little foundation work to do because without a solid foundation you won’t feel confident enough applying it or talking about it with executive management.
The first few articles will explore these basic principles and ensure we’re all aligned, then we can move on to the fun stuff. This article explores the way we need to think to get a handle on the new Privacy laws (I still count the GDPR as new) and what we mean by the term “Data Subject”.
What is a Data Subject?
You might be wondering why I need to explain this, the Data Subject is just the person that is identified by the Personal Data. Nice and easy some might say, job done, whole article written. What do you even need me for if it's that straightforward?
But it's not that straightforward, and I wouldn’t waste your time (or mine) by giving that type of pointless advice that didn't add any value. There’s nothing wrong with that definition as such, it’s technically accurate as far as it goes. The issue with saying a Data Subject is a ‘person’ has more to do with how humans think than the words themselves. In the world of Privacy and Data Protection using that definition of a Data Subject creates a System 1 error that can be incredibly costly. We’ll explore what that means below.
Two Types of Thinking
Before we get to what a Data Subject is, I want to explain that System 1 error comment. To do that we’ll need to spend a moment talking about how humans think. You’ll see its importance more and more as we progress through these articles, it’s something I want you to keep coming back to in your mind. Operationalising Privacy and Data Protection in the real world often relies on recognising and managing tiny details and humans aren’t naturally good at that.
When we hear the word ‘person’ we have an unconscious bias about what that means, this mental image has been forged slowly over every day of our lives – we think about a physical human being, with a name, that we could touch. If I took you to a room telling you I was going to introduce you to a person of interest, that’s what you’d expect isn’t it? That’s the picture your mind immediately gives you, that there will be a group of ‘people’ and that I will take you to a specific one of them?
That mental image is natural, our brains are wired to do it, it’s partly why humans have done so well at surviving. It is, however, wrong. You fell into a trap caused by something that can be called System 1 when you should have been using System 2 thinking.
System 1 Thinking: Fast, Instinctive, Easy
System 1 thinking is what we use most of time, because most of the time it’s good enough.
System 1 is easy, low effort, instant, efficient, instinctive, and generally gets the job done. This system of thinking is what makes you duck before you’ve even consciously seen that baseball about to hit you, that makes you step over a banana peel on the ground without thinking about it, that tells you a chair is safe to sit on because it looks stable. Type 1 thinking is based on mental short cuts built from past experience, gut feelings, and intuition. ?
I’m sure you can see the benefits in that system, it’s mostly good enough, it gives us a fair starting point, it allows things to happen nearly instantaneously. The problem is that it’s also incredibly open to bias and prone to errors in complex situations. Those aren’t what it’s designed for.
System 2 Thinking: Slow, Deliberate, Tiring
System 2 thinking is slower and requires more effort. It’s conscious and logical not automatic and instantaneous. We don’t like using System 2 and tend to avoid it as much as possible.
Despite its leading to more accurate results its weakness is fairly obvious, we simply couldn’t live if we took every decision by using System 2 thinking. There are too many decisions we make every day, every minute even, to break everything down into its components and objectively study each one to make a carefully reasoned decision.
We just can’t do it, we’re not built for it. We’d be overwhelmed in an instant and go to curl up in a ball in the corner (once we’d computed the most efficient route to the corner).
When we’re working with Privacy and Personal Data though, especially when you’re just starting to apply it to a business in the real world, System 2 thinking is where you need to be. Mental shortcuts and instinctive biases, assumptions, and stereotypes are not your friend. Staying in System 2 thinking for prolonged periods can be mentally exhausting, but it’s necessary. Take breaks though to stay sharp.
领英推荐
Question every assumption, if something seems straightforward be suspicious. Did you make any assumptions? Are you being told everything? Could there be details the other person thinks aren’t important? You can’t be sure that anything you assumed (System 1) is correct, you need to surface all of those assumptions and mental shortcuts so that you can evaluate them. I can’t tell you the amount of times that asking that 'stupid question' has saved my neck!
Data Subjects as Entities
Bringing this back to Data Subjects, thinking of a Data Subject as a physical person is a System 1 error. It makes sense and allows you to get going with some deeper learning straight away. It’s too limiting though, and if you proceed based on that understanding you’d be making a costly mistake. You should switch to System 2.
The better way to think of a Data Subject is as one or more data points that, taken together, are capable of separating one ‘entity’ from the larger group of ‘entities’.
That entity doesn’t need a face, name, address, phone number, date of birth, etc. it just needs to be possible to pick it out from the larger group. It doesn’t have to be physical like eye colour, hair style, height, or weight. Remember, all I need to do is to single the entity out.
Do you know the famous painting "La Trahison des Images" ("The Treachery of Images")? A Data Subject is like that, it’s not a person, it’s a representation of a person made of data, like the pipe in the image is only a representation of a pipe made from paint and canvas. You can’t pick it up and start smoking with it can you? So it's not a pipe. Same thing with Data Subjects and people.
This is why a mobile telephone number is Personal Data. The phone number is tied to a particular phone that is (in most cases) used by only one person, the phone number can be used to represent that person separate from all other people, even without knowing anything else about them. Anything I associate with that phone number is then associated with that person, even if I don't know who they are.
It’s the same with a customer account number, email address, bank account number, passport number, or Social Security Number. Objectively they have nothing to do with a person, most people don’t have them tattooed, and you couldn’t visually separate one person in a crowd based on them. Nevertheless, one person in that crowd has invisible data points hovering around them that correspond to these things. We all do, all the time, we walk around in our own cloud of invisible data points that represent us.
Other examples include online markers such as cookie values, IP addresses, MAC addresses, or IMEI numbers. They identify you through association. I could follow those breadcrumbs through a variety of systems and eventually find a human with a name and a face, that I could touch, but the information is Personal Data way before I can do that.
What If I Can’t Do That With My Data?
Then you don’t have personal data. Simple. Congratulations. This is the solution of choice in every situation if you can achieve it – but wait for the next article on ‘What is Personal Data?’ before you get too excited.
Just like the term ‘Data Subject’ the concept of Personal Data may be significantly wider than you currently think it is. Whether or not something is Personal Data also shifts constantly under your feet no matter how hard you try to lock it down. In our world as Privacy Professionals ‘context is king’ and every answer begins with “it depends…”
And that wraps it up for the very first Introduction to Privacy article. What did you think of it? Was it useful to those of you just starting out? Do you want me to keep doing them?
Let me know in the comments, and don't forget to like, share, and or repost - if you found it useful then others might too.
Dan ??
Avishai Ostrin Joe Rickards Facu A. Reyna, Biologist ?? ????? Katya Alfandari Ingmar Blok Beth Graham Larissa Guarnieri Chris Morrow Dani Wiltshire Cheryl Dean Dr Ian Messenger Daniel Kajouie Flavia Zammit Richard Bateman Debbie Reynolds Gabriela McGavock Timothy Young
?
Privacy Program Manager | CIPM | CIPP/US | CIPP/E
1 年This was a very interesting article Dan, thanks for tagging me! Looking forward to reading the next one!
?? Global AI & ML Talent Specialist | Tech Community Builder | AI for Good Advocate | Market Insights & Career Navigation | Re-humanising Hiring | Let's set up a call 07542030405
1 年This is a great article - thanks for sharing Dan!! Understanding System 1 & 2 thinking is really interesting Privacy Consultants sound similar to Recruiters? it is my job to pull out the info I need too! ??
Thanks Dan. A great context setter. I’m looking forward to #2.
The Data Diva | Data Privacy & Emerging Technologies Advisor | Technologist | Keynote Speaker | Helping Companies Make Data Privacy and Business Advantage | Advisor | Futurist | #1 Data Privacy Podcast Host | Polymath
1 年Dan C. this is absolutely brilliant! I would love to chat about this on our podcast episode amoung other topics! I look forward to it.
Experienced Director of Privacy and Data Protection Officer @ Hard Rock Digital | GDPR, CCPA My opinions, thoughts, articles, statements, etc. are all my own and do not represent in any way those of my employer.
1 年Thanks so much Anna Suwalska for helping me improve this article with your excellent feedback ??????