Data Privacy

Data privacy is a fundamental part of how organizations collect, use, store, share, and protect information. A strong understanding of data privacy helps reduce risk, supports compliance, and ensures that personal information is handled responsibly.

Without clear privacy practices, organizations can face regulatory exposure, reputational damage, security incidents, and loss of trust.

Learning objectives

After completing this module, you should be able to:

Identify personal data and special categories of personal data
Understand when data privacy impact assessments are necessary
Know the main data protection obligations and individual responsibilities
Recognize key regulatory frameworks (GDPR, UK ICO, Ofcom, US laws)
Spot a subject access request and know who to contact for escalation
Identify data privacy obligations when sharing data with third parties
Know how to notify Information Security about data incidents and breaches

Regulatory landscape overview

Data privacy obligations are shaped by multiple regulators and legal frameworks depending on geography.

GDPR (EU)

The General Data Protection Regulation applies across the EU and to organizations processing EU residents’ data.

Key principles include:

Lawfulness, fairness, and transparency
Purpose limitation
Data minimization
Accuracy
Storage limitation
Integrity and confidentiality
Accountability

UK: ICO (Information Commissioner's Office)

The ICO is the UK’s independent authority for data protection and privacy.

Key frameworks include:

UK GDPR (post-Brexit version of GDPR)
Data Protection Act 2018
PECR (Privacy and Electronic Communications Regulations)

ICO expectations include:

Demonstrable accountability
Strong governance and documentation
Clear lawful basis for processing
Specific rules for marketing communications (cookies, email, SMS)

UK: Ofcom

Ofcom regulates communications services in the UK, including broadcasting, telecoms, and online safety.

While Ofcom is not a data protection regulator, it is relevant where privacy considerations intersect with media, communications, and digital platform environments.

Privacy relevance includes:

Protection of users, especially children, in digital services
Online Safety obligations affecting platform accountability
Communications data handling expectations in regulated services
Alignment with privacy considerations in media and broadcasting contexts

Ofcom is particularly relevant where data intersects with:

Content platforms
Audience measurement
Advertising technologies
Children's services

United States (US)

The US does not have a single federal privacy law equivalent to GDPR, but a combination of federal and state laws.

Key examples include:

California Consumer Privacy Act (CCPA) / CPRA
Federal Trade Commission (FTC) enforcement (unfair/deceptive practices)
HIPAA (health data)
COPPA (children under 13)

Unlike GDPR, US privacy law is fragmented, sector-specific, and varies significantly by state and industry.

Common US principles include:

Transparency (privacy notices)
Consumer rights (access, deletion, opt-out)
Data sale or sharing disclosures
Sector-specific compliance

Organizations operating globally must align controls across these regimes.

What is personal data

Personal data is any information relating to an identified or identifiable living person.

This includes information that identifies someone directly or indirectly, such as:

Name
Identification number
Location data
Online identifier such as a cookie
Staff records such as HR data
Customer relationship data
Reader or user data collected through websites and digital platforms

Special categories of personal data

Special categories of personal data are types of personal information that may make an individual particularly vulnerable.

Because of the higher risk associated with this data, stricter legal requirements apply to its use. In many situations, this type of data can only be processed when explicit consent has been obtained or another valid legal basis applies.

Special categories include information about an individual's:

Physical or mental health
Racial or ethnic origin
Political opinions
Political party membership
Religious or philosophical beliefs
Sex life
Sexual orientation
Trade union membership
Genetic data
Biometric data

Why the distinction matters

Understanding the difference between personal data and special category data is essential for legal compliance and risk management.

Examples include:

Customer service notes about a complaint: personal data
Occupational health records: special category data
Salary details: personal data
Political affiliation: special category data

Higher sensitivity means higher compliance requirements.

GDPR and data protection obligations

The General Data Protection Regulation sets out the obligations for organizations processing personal data. These obligations apply within the EU and can also apply to organizations outside the EU when they offer goods or services to EU citizens or monitor their behavior.

The regulation establishes a clear framework for lawful processing, transparency, accountability, and security.

Failure to comply can lead to:

Reputational damage
Regulatory enforcement
Significant financial penalties
Fines of up to £17.5 million or 4% of global turnover, whichever is higher

Data breach notification

Serious personal data breaches must be reported to the relevant supervisory authority within 72 hours of becoming aware of the breach.

Where a breach is likely to result in a high risk to the rights and freedoms of individuals, those individuals must also be informed without undue delay.

Time is critical, which is why suspected or confirmed incidents should always be escalated immediately.

Key considerations include:

GDPR / UK GDPR: report within 72 hours to the relevant regulator, such as the ICO in the UK
Notify affected individuals where the breach is likely to create a high risk
US breach notification obligations vary by state and sector

Privacy standards and governance

Organizations need a consistent approach to privacy compliance across all jurisdictions and business areas.

A strong privacy framework typically includes:

Privacy by design
Transparency
Respect for individual rights
Secure data sharing
Protection of children's data
Responsible marketing practices
Retention and deletion rules
Lawful international data transfers

These standards help ensure that privacy is built into day to day processes rather than treated as an afterthought.

Privacy by design

Privacy by design means making privacy an integral part of products, services, and operational processes from the beginning.

Before carrying out high risk data processing, a data privacy impact assessment should be completed to identify and manage privacy risks.

Examples of high risk processing include:

Processing special categories of personal data
Systematic evaluation or prediction of personal aspects
Large scale processing of personal data

New projects or activities involving personal data should always be reviewed early so that privacy risks can be assessed and appropriate controls can be put in place.

Data processing inventory

Organizations are required to maintain an internal record of how personal data is used.

A data processing inventory should include:

Name and details of the data controller
Purpose of processing
Categories of individuals
Categories of personal data
Categories of recipients
International transfers and safeguards
Retention periods
Security measures in place

Keeping this information accurate and up to date is a core part of privacy accountability.

Transparency and privacy notices

Transparency means making sure people understand why their personal data is collected, how it is used, and what choices they have.

This is normally communicated through privacy notices.

A privacy notice should:

Be available at the time personal data is collected
Clearly explain how data is used
Be accessible in the relevant context, including online collection points
Be reviewed when new initiatives or process changes are introduced

Where changes are significant or outside reasonable expectations, an updated notice may need to be actively communicated.

Individual rights

Individuals have important rights over their personal data, and organizations must be prepared to respond promptly.

These rights include:

Access to personal data
Correction of inaccurate data
Deletion of data where appropriate
Objection to certain processing activities
Complaints about how data is handled
Portability rights (GDPR/UK)
Opt-out rights (US)

Requests to stop marketing must also be respected, whether they are submitted through an unsubscribe link, by phone, by email, or in writing.

Right to erasure

The right to erasure, sometimes known as the right to be forgotten, allows individuals to request deletion of their personal data in certain circumstances.

This may apply when:

Data is no longer needed for the original purpose
Consent has been withdrawn
There is no longer a lawful basis for processing

Organizations must assess these requests carefully and respond within the required timeframe.

Subject access requests

A subject access request is a request made by an individual to access the personal data held about them.

This right includes:

Confirmation that data is being processed
A copy of the personal data
Additional information about how the data is used

Requests must usually be handled:

Within one month (GDPR/UK)
Free of charge (generally)
Through the correct escalation process

Best practice includes:

Do not handle the request informally on your own
Escalate the request promptly
Ensure relevant teams can locate and provide the data in the correct format

Sharing data with third parties

Personal data should only be shared with third parties where adequate safeguards and controls are in place.

Before sharing data, organizations should ensure:

The sharing is fair, lawful, and secure
Third parties have appropriate security controls
Contracts include suitable data protection clauses
Secure transfer methods are used

When engaging new suppliers, due diligence is essential to confirm that they can protect the data they process.

Requests from authorities

Requests for personal data from public authorities, regulators, or law enforcement should always be referred through the appropriate internal legal or privacy channels.

These requests should never be handled casually or without review.

Children's data

The collection and use of children's data is subject to stricter compliance requirements.

Key considerations include:

Carrying out a privacy impact assessment before collecting children's data where appropriate
Applying appropriate age thresholds depending on jurisdiction
Obtaining parental or guardian consent where required
Applying age-appropriate design and additional safeguards
Applying extra care in editorial or public interest contexts involving minors
Special safeguards (ICO + Ofcom emphasis)
COPPA compliance (US)

Children's data should always be treated as a higher risk area requiring careful review.

Marketing and communications

Marketing activity must be based on clear permissions and properly managed preferences.

Requirements vary by jurisdiction:

GDPR / ICO: consent and PECR rules for electronic marketing
US: opt-out frameworks (e.g., CCPA)

Good practice includes:

Providing clear and specific marketing options at the point of collection
Making it easy to withdraw consent or opt out
Including an unsubscribe method in all marketing communications
Respecting objections to marketing promptly
Maintaining consent and preference records

Retention and deletion

Personal data should not be kept for longer than necessary.

A suitable retention period should be set for each category of data based on:

The purpose for which the data was collected
Legal and regulatory requirements
Business and record keeping needs

When personal data is no longer needed, it should be deleted securely.

Clear retention schedules help reduce risk and support lawful data management.

International data transfers

International transfers of personal data require additional care.

When data is transferred between countries, organizations should ensure:

The transfer is lawful
Appropriate safeguards are in place
Local legal requirements are considered
Privacy and security teams are consulted where necessary

Safeguards may include:

Standard Contractual Clauses (SCCs)
Adequacy decisions
Transfer risk assessments

Cross border data flows should never be treated as routine without checking the regulatory implications.

Incident and breach reporting

Everyone has a role in keeping data secure.

Any actual or suspected data loss, theft, or unauthorized disclosure should be reported as soon as it is identified.

Examples include:

Losing a file or device containing personal data
Sending personal data to the wrong recipient
Exposing personal data through a technical failure or system issue

Prompt reporting allows the organization to contain the incident, assess risk, and meet regulatory deadlines.

Report immediately:

Data loss
Unauthorized access
Misdirected communications

Key takeaways

The most important principles to remember are:

Understand global regulatory differences
Apply the highest appropriate standard where possible
Prioritize transparency and accountability
Protect sensitive and children's data carefully
Respond quickly to incidents and requests
Know what qualifies as personal data
Take extra care with special category data
Build privacy into projects from the beginning
Be clear about how personal data will be used
Respect individual rights and marketing preferences
Escalate subject access requests immediately
Set clear retention periods and delete data when no longer needed
Apply safeguards when sharing data with third parties
Report incidents and breaches without delay

Outcome

Strong data privacy practices protect individuals, support compliance, and reduce operational risk. A clear understanding of privacy obligations helps organizations handle personal data responsibly, respond effectively to incidents, and build trust through consistent and lawful data management.