{"id":1811,"date":"2019-07-22T13:25:54","date_gmt":"2019-07-22T12:25:54","guid":{"rendered":"https:\/\/www.calligo.io\/update-3-the-data-privacy-periodic-table\/"},"modified":"2024-01-18T14:42:44","modified_gmt":"2024-01-18T14:42:44","slug":"update-3-the-data-privacy-periodic-table","status":"publish","type":"post","link":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/","title":{"rendered":"UPDATE 3: The Data Privacy Periodic Table"},"content":{"rendered":"\n<p>To read the latest update (August 2021) to The Periodic Table of Data Privacy, click here.\u00a0<\/p>\n\n\n\n<p>The Data Privacy Periodic Table continues to be well-received and widely shared and commented upon. Since our&nbsp;last update in January, data privacy has barely left the news.<\/p>\n\n\n\n<p>Proposed fines have been awarded to some of the biggest brands, including British Airways (\u00a3183.4m) and Marriott Hotels (\u00a399m \u2013 announced 24 hours after British Airways), AI and automation commentators continue to debate how to progress within the boundaries of&nbsp;Privacy by Design, and there have been constant updates to new local and national draft laws.<\/p>\n\n\n\n<p>The British Airways fine in particular is interesting as it represents only 1.5% of BA\u2019s turnover, far behind the maximum 4% that the GDPR permits. To the casual observer it therefore seems a light penalty, but in fact it is probably a carefully chosen figure \u2013 more than enough to provoke shock and awe across the industry and media, but not so high as to be easily challenged. It\u2019s also a far cry from the \u00a3500,000 that the ICO\u2019s powers used to permit, continuing the trend of Supervisory Authorities being willing and perhaps eager to use their powers to punish the most grievous and negligent offences.<\/p>\n\n\n\n<p>And so to this update of the Data Privacy Periodic Table. While data privacy has largely been kept at the forefront of our minds by brash headline-grabbing fine announcements, the changes on this occasion are conversely driven more by the subtleties of the laws themselves.<\/p>\n\n\n\n<p><\/p>\n\n\n\n<p><strong>The updates<\/strong><br>Changing \u201cController\u201d and \u201cProcessor\u201d to \u201cOwner\u201d and \u201cExecutor\u201d<\/p>\n\n\n\n<p>When we first launched this project in September 2018, we were determined to make sure it reflected the wider privacy world and was not just a Periodic Table of the GDPR. This is harder than it sounds, despite the principles of the GDPR appearing to be reflected in almost all national privacy laws drafted since.<\/p>\n\n\n\n<p>As new laws have been drafted since, it has become clear that the terminology of \u201cController\u201d and \u201cProcessor\u201d (elements #40 and #41) has become too specific, though not unique, to the GDPR. The roles and demarcation are very common, but the names are not consistent.<\/p>\n\n\n\n<p>For instance, the draft Indian privacy bill describes a role that is ostensibly the same as that of a GDPR Controller, and names it \u201cdata fiduciary\u201d. Hong Kong uses the term \u201cuser\u201d (which has created enormous confusion in client engagements when discussing collecting the data of website visitors or SaaS platform customers!), and the CCPA refers to \u201cservice providers\u201d.<\/p>\n\n\n\n<p>We therefore felt that \u201cController\u201d was becoming too GDPR-centric and have changed it instead to \u201cOwner\u201d.<\/p>\n\n\n\n<p>For some, this will be appear to be unwise wording. After all, the central ethos of data privacy is that the data subject is the ultimate owner of their personal information, and not a brand who simply holds a record of it. However, we wanted to use a term that conveys an obligation to oversee the treatment and physical safety of the data \u2013 in other words, they are not the owner of the data (that will always be the data subject), but the owner of the responsibility.<\/p>\n\n\n\n<p>Meanwhile, for the same reasons of GDPR-centricity, we have changed \u201cProcessor\u201d to \u201cExecutor\u201d.<\/p>\n\n\n\n<p>We considered \u201cAgent\u201d but it risked being too easily confused with \u201cController\u201d \/ \u201cOwner\u201d who is often said to have \u201cagency over data\u201d. Plus it suggests being in the direct and total control of the Controller, which is not accurate.<\/p>\n\n\n\n<p>We considered \u201cProxy\u201d, but we felt it implied too much control over the decision-making.<\/p>\n\n\n\n<p>And we considered \u201cIntermediary\u201d, but it didn\u2019t feel quite representative of all types of data exchanges between the two parties.<\/p>\n\n\n\n<p>\u201cExecutor\u201d meanwhile is a sufficiently recognised legal term to be understood, while striking the right balance between performing a role that is instructed at a high level, but that also allows suggests enough freedom in the performance of the role to bear some responsibility.<\/p>\n\n\n\n<p>Data Protection Impact Assessments vs Privacy Impact Assessments<br>A big conversation currently is the difference between a Data Privacy Impact Assessment and just a Privacy Impact Assessment. GDPR requires DPIAs, while the industry has always been accustomed to PIAs, and has mistakenly conflated the two.<\/p>\n\n\n\n<p><strong>So, what\u2019s the difference?<\/strong><\/p>\n\n\n\n<p>We could spend thousands of words on this, but in brief terms, a PIA is a process that privacy teams use to assess how changes to the business affect the overall privacy strategy, impact Privacy by Design, and whether they create new risks.<\/p>\n\n\n\n<p>Meanwhile a DPIA is more targeted, both at an individual process, and on the impact on the data subject. The two processes certainly overlap, but they also have different aims. They should both be performed, in tandem, with any change to the business \u2013 but by no means should one replace the other. Accordingly, we have split them out in the table, as elements #27 and #28.<\/p>\n\n\n\n<p>To make room, we combined \u201cSuppliers\u201d and Partners\u201d in the bottom half of the&nbsp;Central&nbsp;Components of Data Privacy&nbsp;section, where various types of data subject are listed, to create a new element, \u201cThird Parties\u201d.<\/p>\n\n\n\n<p>\u201cData Protection Officer\u201d now \u201cPrivacy Officer\u201d<br>Just as with Controller and Processor above, we feel that the GDPR-centric title of Data Protection Officer &#8220;DPO&#8221; hasn\u2019t become universal, or even as commonly used as anticipated.<\/p>\n\n\n\n<p>Russia does use the term, as does the Indian privacy bill, but Brazil\u2019s draft for example simply refers to \u201cPrivacy Officers\u201d whose roles are arguably more akin to CISOs, especially given there\u2019s no requirement to avoid conflicts of interest. The CCPA has no requirement for the role at all, although commentators are widely recommending that having one would be best practice regardless.<\/p>\n\n\n\n<p>In essence, there is too much variety in nomenclature, and even in the exact requirements or necessity of the role itself, for us to continue to use DPO as it is commonly understood. We have therefore switched it to \u201cPrivacy Officer\u201d (element #39), intending it to refer simply to an internal supervisory role where the rights (ethical as well as legal) are represented within the business. Whether an organisation is compelled to appoint one or not, it is surely prudent to have such oversight in place.<\/p>\n\n\n\n<p><strong>Replacing ICANN with US States<\/strong><br>The ICANN saga (element #114 in the\u00a0Future Developments\u00a0section) appears to have reached something approximating a conclusion \u2013 for now at least. As of May, the WHOIS directory has been redacted and access is now controlled. And while conversations continue over whether this affects anti-terrorism efforts and the like, and a long term solution is still being sought, there is unlikely to be major change for some time.<\/p>\n\n\n\n<p>We are replacing this with an area of far greater disorder and confusion \u2013 the various privacy laws of the US\u2019 individual states. Three states \u2013 Nevada, Maine and California \u2013 have passed their local laws (though see our previous update as to why we are still keeping the CCPA in&nbsp;Future Developments&nbsp;rather than&nbsp;Core Legislation), and as many as 11 have bills in progress, and five have been toppled in some way, including Hawaii\u2019s that was vetoed only a few days ago.<\/p>\n\n\n\n<p>As many know, there is talk of whether these states\u2019 bills will create enough pressure for a single federal bill to be introduced, but for now, and perhaps for quite a while yet, we suspect the states will have to continue to handle data subject protection themselves.<\/p>\n\n\n\n<p>(As a side note, did anyone notice our deliberate use of USSs for this element, not be confused with USSS, the United States Secret Service \u2013 an ironic potential confusion for this topic!)<\/p>\n\n\n\n<p>As always,&nbsp;let us know of any suggestions, disagreements or recommendations. This is an open and live project that actively seeks input and is regularly updated as things change.<\/p>\n","protected":false},"excerpt":{"rendered":"<p>We&#8217;ve updated our popular Data Privacy Periodic Table. The changes on this occasion are conversely driven more by the subtleties of the laws themselves.<\/p>\n","protected":false},"author":33,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_acf_changed":false,"footnotes":""},"categories":[142,140,141,121],"tags":[],"post_format_type":[40],"class_list":["post-1811","post","type-post","status-publish","format-standard","hentry","category-data-governance","category-data-privacy-glossary","category-data-protection","category-glossary"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v27.0 - https:\/\/yoast.com\/product\/yoast-seo-wordpress\/ -->\n<title>UPDATE 3: The Data Privacy Periodic Table | Calligo<\/title>\n<meta name=\"description\" content=\"We&#039;ve updated our popular Data Privacy Periodic Table. The changes on this occasion are conversely driven more by the subtleties of the laws themselves.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/\" \/>\n<meta property=\"og:locale\" content=\"en_GB\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"UPDATE 3: The Data Privacy Periodic Table | Calligo\" \/>\n<meta property=\"og:description\" content=\"We&#039;ve updated our popular Data Privacy Periodic Table. The changes on this occasion are conversely driven more by the subtleties of the laws themselves.\" \/>\n<meta property=\"og:url\" content=\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/\" \/>\n<meta property=\"og:site_name\" content=\"Calligo\" \/>\n<meta property=\"article:published_time\" content=\"2019-07-22T12:25:54+00:00\" \/>\n<meta property=\"article:modified_time\" content=\"2024-01-18T14:42:44+00:00\" \/>\n<meta name=\"author\" content=\"Brendan Walsh\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:creator\" content=\"@calligocloud\" \/>\n<meta name=\"twitter:site\" content=\"@calligocloud\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"Brendan Walsh\" \/>\n\t<meta name=\"twitter:label2\" content=\"Estimated reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"6 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/\"},\"author\":{\"name\":\"Brendan Walsh\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f\"},\"headline\":\"UPDATE 3: The Data Privacy Periodic Table\",\"datePublished\":\"2019-07-22T12:25:54+00:00\",\"dateModified\":\"2024-01-18T14:42:44+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/\"},\"wordCount\":1298,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/www.calligo.io\/#organization\"},\"articleSection\":[\"Data Governance\",\"Data Privacy\",\"Data Protection\",\"Glossary\"],\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/\",\"url\":\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/\",\"name\":\"UPDATE 3: The Data Privacy Periodic Table | Calligo\",\"isPartOf\":{\"@id\":\"https:\/\/www.calligo.io\/#website\"},\"datePublished\":\"2019-07-22T12:25:54+00:00\",\"dateModified\":\"2024-01-18T14:42:44+00:00\",\"description\":\"We've updated our popular Data Privacy Periodic Table. The changes on this occasion are conversely driven more by the subtleties of the laws themselves.\",\"breadcrumb\":{\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/#breadcrumb\"},\"inLanguage\":\"en-GB\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/www.calligo.io\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"UPDATE 3: The Data Privacy Periodic Table\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/www.calligo.io\/#website\",\"url\":\"https:\/\/www.calligo.io\/\",\"name\":\"Calligo\",\"description\":\"Building value through data\",\"publisher\":{\"@id\":\"https:\/\/www.calligo.io\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/www.calligo.io\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-GB\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/www.calligo.io\/#organization\",\"name\":\"Calligo\",\"url\":\"https:\/\/www.calligo.io\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/\",\"url\":\"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg\",\"contentUrl\":\"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg\",\"width\":1200,\"height\":630,\"caption\":\"Calligo\"},\"image\":{\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/\"},\"sameAs\":[\"https:\/\/x.com\/calligocloud\",\"https:\/\/www.linkedin.com\/company\/calligo-limited\/\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f\",\"name\":\"Brendan Walsh\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-GB\",\"@id\":\"https:\/\/www.calligo.io\/#\/schema\/person\/image\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g\",\"caption\":\"Brendan Walsh\"}}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"UPDATE 3: The Data Privacy Periodic Table | Calligo","description":"We've updated our popular Data Privacy Periodic Table. The changes on this occasion are conversely driven more by the subtleties of the laws themselves.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/","og_locale":"en_GB","og_type":"article","og_title":"UPDATE 3: The Data Privacy Periodic Table | Calligo","og_description":"We've updated our popular Data Privacy Periodic Table. The changes on this occasion are conversely driven more by the subtleties of the laws themselves.","og_url":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/","og_site_name":"Calligo","article_published_time":"2019-07-22T12:25:54+00:00","article_modified_time":"2024-01-18T14:42:44+00:00","author":"Brendan Walsh","twitter_card":"summary_large_image","twitter_creator":"@calligocloud","twitter_site":"@calligocloud","twitter_misc":{"Written by":"Brendan Walsh","Estimated reading time":"6 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/#article","isPartOf":{"@id":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/"},"author":{"name":"Brendan Walsh","@id":"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f"},"headline":"UPDATE 3: The Data Privacy Periodic Table","datePublished":"2019-07-22T12:25:54+00:00","dateModified":"2024-01-18T14:42:44+00:00","mainEntityOfPage":{"@id":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/"},"wordCount":1298,"commentCount":0,"publisher":{"@id":"https:\/\/www.calligo.io\/#organization"},"articleSection":["Data Governance","Data Privacy","Data Protection","Glossary"],"inLanguage":"en-GB","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/","url":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/","name":"UPDATE 3: The Data Privacy Periodic Table | Calligo","isPartOf":{"@id":"https:\/\/www.calligo.io\/#website"},"datePublished":"2019-07-22T12:25:54+00:00","dateModified":"2024-01-18T14:42:44+00:00","description":"We've updated our popular Data Privacy Periodic Table. The changes on this occasion are conversely driven more by the subtleties of the laws themselves.","breadcrumb":{"@id":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/#breadcrumb"},"inLanguage":"en-GB","potentialAction":[{"@type":"ReadAction","target":["https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/www.calligo.io\/insights\/glossary\/update-3-the-data-privacy-periodic-table\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/www.calligo.io\/"},{"@type":"ListItem","position":2,"name":"UPDATE 3: The Data Privacy Periodic Table"}]},{"@type":"WebSite","@id":"https:\/\/www.calligo.io\/#website","url":"https:\/\/www.calligo.io\/","name":"Calligo","description":"Building value through data","publisher":{"@id":"https:\/\/www.calligo.io\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/www.calligo.io\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-GB"},{"@type":"Organization","@id":"https:\/\/www.calligo.io\/#organization","name":"Calligo","url":"https:\/\/www.calligo.io\/","logo":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/","url":"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg","contentUrl":"https:\/\/www.calligo.io\/wp-content\/uploads\/2023\/04\/calligo-og.jpg","width":1200,"height":630,"caption":"Calligo"},"image":{"@id":"https:\/\/www.calligo.io\/#\/schema\/logo\/image\/"},"sameAs":["https:\/\/x.com\/calligocloud","https:\/\/www.linkedin.com\/company\/calligo-limited\/"]},{"@type":"Person","@id":"https:\/\/www.calligo.io\/#\/schema\/person\/e2e0283a3e6c3a237a10e012c081755f","name":"Brendan Walsh","image":{"@type":"ImageObject","inLanguage":"en-GB","@id":"https:\/\/www.calligo.io\/#\/schema\/person\/image\/","url":"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/299d5b23f0682aabb1a2347ddf8b95df04b22cfec378aea17a8f7395c74b2bc8?s=96&d=mm&r=g","caption":"Brendan Walsh"}}]}},"_links":{"self":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/posts\/1811","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/users\/33"}],"replies":[{"embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/comments?post=1811"}],"version-history":[{"count":0,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/posts\/1811\/revisions"}],"wp:attachment":[{"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/media?parent=1811"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/categories?post=1811"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/tags?post=1811"},{"taxonomy":"post_format_type","embeddable":true,"href":"https:\/\/www.calligo.io\/wp-json\/wp\/v2\/post_format_type?post=1811"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}