A privacy program seeks to protect and manage multiple categories of information. Among other pieces of data, a privacy program seeks to protect trade secrets and other confidential or proprietary information about an organization. Most importantly, however, a privacy program governs an organization’s use of “personal information,” sometimes referred to as “personally identifiable information.”
a. Identified and Identifiable Personal Information
In some jurisdictions, such as the United States, laws may differentiate between information that makes an individual “identified” from information that makes a person “identifiable.”
An Identified Individual is one who can be ascertained with certainty—for example, by reference to a unique government-issued identification number.
An Identifiable Individual, on the other hand, is one that can be indirectly identified through a combination of various factors. As the European Union’s General Data Protection Regulation (“GDPR”) defines it, “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural
Typically, privacy programs govern an organization’s use of all “identifiable” personal information.
b. Data Subjects, Controllers, and Processors
Many key terms related to information processing originated in Europe but have become standard terms used throughout the privacy and data security industries. The term “processing,” or “data processing,” is a term that refers to almost anything that is done with personal information—everything from collection to storage to deletion. The GDPR, for example, expansively defines data processing as “any operation or set of operations which is performed on personal data or on sets of personal data, whether or not by automated means, such as collection, recording, organisation, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or
Three categories of persons are involved in processing personal information: a data subject, a data controller, and a data processor.
A Data Subject is the individual whose personal information is being
A Data Controller, on the other hand, is the organization (but it may also be an individual) that decides how personal information is being utilized and processed. As defined by the GDPR, a controller is “the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal
The organization that is the data controller is typically subject to the heaviest amount of regulation by privacy and data security laws.
Lastly, the term Data Processor refers to any organization or person that processes data on behalf of a data
Under this definition, one organization may be both a data controller and a data processor. Likewise, this term also refers to any subsequent data processor down a chain of outsourcing. Accordingly, if a data controller processes certain types of data itself, but also contracts with a third-party to conduct further analysis on that data, both parties would be considered data processors.
The main difference between a data controller and a data processor is who has ultimate authority over the data. A data processor is not permitted to do any processing beyond what the data controller permits or beyond what the data controller itself could do with that information. Even though a data controller is the party that has ultimate authority about how data is processed, both data controllers and data processors implement their own separate privacy programs.
Privacy professionals must be aware of the fact that the terms described above are only general terms and definitions. Numerous laws use different names to refer to these same concepts. In the United States, for example, a data processor is referred to as a “business associate” under the Health Insurance Portability and Accountability Act
and as a “service provider” under the Gramm-Leach-Bliley