Introduction To Privacy #1

Introduction To Privacy #1

Module 1:??????????Foundations

Lesson: ????????????Thinking Styles and What is a Data Subject?

Introduction

No alt text provided for this image

Now Introductions are out of the way let’s move on.

Before we can get into more detailed discussions of using Privacy and Data Protection concepts in the real world, I need to make sure we’re all on the same starting page. To do that there’s a little foundation work to do because without a solid foundation you won’t feel confident enough applying it or talking about it with executive management.

The first few articles will explore these basic principles and ensure we’re all aligned, then we can move on to the fun stuff. This article explores the way we need to think to get a handle on the new Privacy laws (I still count the GDPR as new) and what we mean by the term “Data Subject”.

No alt text provided for this image

What is a Data Subject?

You might be wondering why I need to explain this, the Data Subject is just the person that is identified by the Personal Data. Nice and easy some might say, job done, whole article written. What do you even need me for if it's that straightforward?

But it's not that straightforward, and I wouldn’t waste your time (or mine) by giving that type of pointless advice that didn't add any value. There’s nothing wrong with that definition as such, it’s technically accurate as far as it goes. The issue with saying a Data Subject is a ‘person’ has more to do with how humans think than the words themselves. In the world of Privacy and Data Protection using that definition of a Data Subject creates a System 1 error that can be incredibly costly. We’ll explore what that means below.

No alt text provided for this image

Two Types of Thinking

Before we get to what a Data Subject is, I want to explain that System 1 error comment. To do that we’ll need to spend a moment talking about how humans think. You’ll see its importance more and more as we progress through these articles, it’s something I want you to keep coming back to in your mind. Operationalising Privacy and Data Protection in the real world often relies on recognising and managing tiny details and humans aren’t naturally good at that.

No alt text provided for this image

When we hear the word ‘person’ we have an unconscious bias about what that means, this mental image has been forged slowly over every day of our lives – we think about a physical human being, with a name, that we could touch. If I took you to a room telling you I was going to introduce you to a person of interest, that’s what you’d expect isn’t it? That’s the picture your mind immediately gives you, that there will be a group of ‘people’ and that I will take you to a specific one of them?

That mental image is natural, our brains are wired to do it, it’s partly why humans have done so well at surviving. It is, however, wrong. You fell into a trap caused by something that can be called System 1 when you should have been using System 2 thinking.

No alt text provided for this image

System 1 Thinking: Fast, Instinctive, Easy

System 1 thinking is what we use most of time, because most of the time it’s good enough.

System 1 is easy, low effort, instant, efficient, instinctive, and generally gets the job done. This system of thinking is what makes you duck before you’ve even consciously seen that baseball about to hit you, that makes you step over a banana peel on the ground without thinking about it, that tells you a chair is safe to sit on because it looks stable. Type 1 thinking is based on mental short cuts built from past experience, gut feelings, and intuition. ?

I’m sure you can see the benefits in that system, it’s mostly good enough, it gives us a fair starting point, it allows things to happen nearly instantaneously. The problem is that it’s also incredibly open to bias and prone to errors in complex situations. Those aren’t what it’s designed for.

No alt text provided for this image

System 2 Thinking: Slow, Deliberate, Tiring

System 2 thinking is slower and requires more effort. It’s conscious and logical not automatic and instantaneous. We don’t like using System 2 and tend to avoid it as much as possible.

Despite its leading to more accurate results its weakness is fairly obvious, we simply couldn’t live if we took every decision by using System 2 thinking. There are too many decisions we make every day, every minute even, to break everything down into its components and objectively study each one to make a carefully reasoned decision.

We just can’t do it, we’re not built for it. We’d be overwhelmed in an instant and go to curl up in a ball in the corner (once we’d computed the most efficient route to the corner).

When we’re working with Privacy and Personal Data though, especially when you’re just starting to apply it to a business in the real world, System 2 thinking is where you need to be. Mental shortcuts and instinctive biases, assumptions, and stereotypes are not your friend. Staying in System 2 thinking for prolonged periods can be mentally exhausting, but it’s necessary. Take breaks though to stay sharp.

Question every assumption, if something seems straightforward be suspicious. Did you make any assumptions? Are you being told everything? Could there be details the other person thinks aren’t important? You can’t be sure that anything you assumed (System 1) is correct, you need to surface all of those assumptions and mental shortcuts so that you can evaluate them. I can’t tell you the amount of times that asking that 'stupid question' has saved my neck!

No alt text provided for this image
No alt text provided for this image

Data Subjects as Entities

Bringing this back to Data Subjects, thinking of a Data Subject as a physical person is a System 1 error. It makes sense and allows you to get going with some deeper learning straight away. It’s too limiting though, and if you proceed based on that understanding you’d be making a costly mistake. You should switch to System 2.

The better way to think of a Data Subject is as one or more data points that, taken together, are capable of separating one ‘entity’ from the larger group of ‘entities’.

That entity doesn’t need a face, name, address, phone number, date of birth, etc. it just needs to be possible to pick it out from the larger group. It doesn’t have to be physical like eye colour, hair style, height, or weight. Remember, all I need to do is to single the entity out.

No alt text provided for this image

Do you know the famous painting "La Trahison des Images" ("The Treachery of Images")? A Data Subject is like that, it’s not a person, it’s a representation of a person made of data, like the pipe in the image is only a representation of a pipe made from paint and canvas. You can’t pick it up and start smoking with it can you? So it's not a pipe. Same thing with Data Subjects and people.

This is why a mobile telephone number is Personal Data. The phone number is tied to a particular phone that is (in most cases) used by only one person, the phone number can be used to represent that person separate from all other people, even without knowing anything else about them. Anything I associate with that phone number is then associated with that person, even if I don't know who they are.

No alt text provided for this image

It’s the same with a customer account number, email address, bank account number, passport number, or Social Security Number. Objectively they have nothing to do with a person, most people don’t have them tattooed, and you couldn’t visually separate one person in a crowd based on them. Nevertheless, one person in that crowd has invisible data points hovering around them that correspond to these things. We all do, all the time, we walk around in our own cloud of invisible data points that represent us.

Other examples include online markers such as cookie values, IP addresses, MAC addresses, or IMEI numbers. They identify you through association. I could follow those breadcrumbs through a variety of systems and eventually find a human with a name and a face, that I could touch, but the information is Personal Data way before I can do that.

No alt text provided for this image

What If I Can’t Do That With My Data?

Then you don’t have personal data. Simple. Congratulations. This is the solution of choice in every situation if you can achieve it – but wait for the next article on ‘What is Personal Data?’ before you get too excited.

Just like the term ‘Data Subject’ the concept of Personal Data may be significantly wider than you currently think it is. Whether or not something is Personal Data also shifts constantly under your feet no matter how hard you try to lock it down. In our world as Privacy Professionals ‘context is king’ and every answer begins with “it depends…”

No alt text provided for this image

And that wraps it up for the very first Introduction to Privacy article. What did you think of it? Was it useful to those of you just starting out? Do you want me to keep doing them?

Let me know in the comments, and don't forget to like, share, and or repost - if you found it useful then others might too.

Dan ??


#theaccidentaldpo #privacyforbeginners #introductiontoprivacy

Avishai Ostrin Joe Rickards Facu A. Reyna, Biologist ?? ????? Katya Alfandari Ingmar Blok Beth Graham Larissa Guarnieri Chris Morrow Dani Wiltshire Cheryl Dean Dr Ian Messenger Daniel Kajouie Flavia Zammit Richard Bateman Debbie Reynolds Gabriela McGavock Timothy Young




?

Gabriela McGavock

Privacy Program Manager | CIPM | CIPP/US | CIPP/E

1 年

This was a very interesting article Dan, thanks for tagging me! Looking forward to reading the next one!

Cheryl Dean

?? Global AI & ML Talent Specialist | Tech Community Builder | AI for Good Advocate | Market Insights & Career Navigation | Re-humanising Hiring | Let's set up a call 07542030405

1 年

This is a great article - thanks for sharing Dan!! Understanding System 1 & 2 thinking is really interesting Privacy Consultants sound similar to Recruiters? it is my job to pull out the info I need too! ??

Thanks Dan. A great context setter. I’m looking forward to #2.

Debbie Reynolds

The Data Diva | Data Privacy & Emerging Technologies Advisor | Technologist | Keynote Speaker | Helping Companies Make Data Privacy and Business Advantage | Advisor | Futurist | #1 Data Privacy Podcast Host | Polymath

1 年

Dan C. this is absolutely brilliant! I would love to chat about this on our podcast episode amoung other topics! I look forward to it.

Dan C.

Experienced Director of Privacy and Data Protection Officer @ Hard Rock Digital | GDPR, CCPA My opinions, thoughts, articles, statements, etc. are all my own and do not represent in any way those of my employer.

1 年

Thanks so much Anna Suwalska for helping me improve this article with your excellent feedback ??????

要查看或添加评论,请登录

Dan C.的更多文章

  • An Introduction to Privacy #3: Let the Fun Begin ????

    An Introduction to Privacy #3: Let the Fun Begin ????

    You've all been incredibly patient, and here's where it starts to pay off. We can leave that pure theory aside (well…

    7 条评论
  • What Is Personal Data?

    What Is Personal Data?

    Everything Well, more or less. A touch flippant perhaps, probably not what you expected, and I’m pretty sure it wasn’t…

    17 条评论
  • Compliance 3.0: Taking Care of Business

    Compliance 3.0: Taking Care of Business

    Well, here we are at the final part of my introduction to Compliance 3.0, just takin' care of business ?? The previous…

    2 条评论
  • Cooking Up Compliance 3.0: The Cost/Benefit

    Cooking Up Compliance 3.0: The Cost/Benefit

    As my dad always says, “cooking is an art, baking is a science” and Compliance 3.0 is most definitely cooking ????…

    11 条评论
  • Mastering Compliance 3.0 to Achieve Business Goals

    Mastering Compliance 3.0 to Achieve Business Goals

    Compliance is often seen as a restrictive, thankless function that at best adds no business value, and at worst…

    7 条评论
  • Huzzah for Pack Rats!

    Huzzah for Pack Rats!

    I'm a pack rat, mostly of nuts and bolts, but also data. You heard me, also data! There's nothing wrong at all with…

    1 条评论
  • Ransomware Pirates Want Your Data!

    Ransomware Pirates Want Your Data!

    Ransomware attacks are a sad reality of life these days, they can strike out of the (deep) blue (sea) and affect your…

  • Ripping out ROT: Improving Your Privacy Governance

    Ripping out ROT: Improving Your Privacy Governance

    Data ROT removal is a skill that we can master. It can help us protect our data privacy, comply with regulations, and…

  • Why DPO's Make Good Beer

    Why DPO's Make Good Beer

    How being a DPO makes me a better brewer (and vice versa) ?? #theaccidentaldpo ?? Do you know what I love to do in my…

    5 条评论
  • The Impact in Impact Assessments

    The Impact in Impact Assessments

    'Impact' isn't a new term as far as business risk assessments go, it's central to the whole thing, everyone knows what…

    3 条评论

社区洞察

其他会员也浏览了