Data Protection

Data portability refers to the right granted to individuals to access and transfer their personal data between services, as enshrined in modern data protection laws such as the GDPR. Advocates argue that data portability enhances consumer choice and fosters competition by making it easier to switch providers, thus reducing service provider lock-in. Just as number portability empowered consumers to switch mobile providers without losing their phone number, data portability allows users to move their digital history, preferences, and identity between digital services. However these benefits come with significant risks. Poorly implemented systems and weak controls could allow fraudsters to impersonate users and extract sensitive data. Cybercriminals may spoof new extraction requests or intercept poorly secured transfers, turning a consumer-friendly right into a new attack vector. ...

Data classification is the process of organising data into categories based on sensitivity and criticality to the organization. This process is crucial for effective risk management, as it enables organisations to identify and prioritise the protection of their most valuable and sensitive information assets. By understanding the different levels of risk associated between data types, organisations can implement security controls and procedures to mitigate threats, comply with regulatory requirements, and minimise the impact of data breaches. ...

As organisations increasingly operate in digital environments, they are creating and handling ever-increasing volumes of sensitive data, including customer information, employee records and confidential business data. This will also include personal data, a special category that carries additional legal protections and obligations. A robust data classification and labelling process is therefore essential for managing information security and meeting these legal and regulatory obligations. What is Data Classification? Data classification involves categorising data based on its sensitivity and potential impact if compromised. Examples include: ...

Data loss prevention (DLP) helps organisations protect sensitive information from loss, misuse, or unauthorised access. DLP is a strategy and set of tools designed to prevent sensitive information from leaving an organisation’s control or being accessed by unauthorised users. It works by identifying, monitoring, and protecting data in three states: when it’s being used, when it’s being transferred (such as over a network or email), and when it’s stored on devices or servers. DLP tools use content inspection and security analysis to achieve this. ...

Data protection refers to the practices, safeguards, and rules put in place to protect personal information and ensure that individuals’ privacy rights are respected. Data protection procedures in an organisation will involve the secure handling of data to prevent unauthorised access, disclosure, alteration, or destruction. Effective data protection measures are essential for maintaining trust, and for compliance with legal and regulatory requirements. Related pages Data privacy Data classification Data disposal Worldwide data transfer Data controller Data processor Data subject rights Data breach

A data subject is an individual (natural person) whose personal data is collected, held, or processed by an organisation. Under GDPR and other related laws, data subjects have specific rights regarding their personal data, including the right to access, correct, and request the deletion of their data. Further reading Data Subject Definition in the GDPR act Related pages GDPR

The General Data Protection Regulation (GDPR) is a European Union regulation on data protection and privacy. Further reading General Data Protection Regulation (GDPR) - GDPR Summary EU General Data Protection Regulation (GDPR) - PCPD Hong Kong

Australia Privacy Act 1988 Australia has a number of data protection and privacy laws and regulations. DLA Piper provide a good overview. Privacy Act 1988 (gov.au) Comparing privacy laws: GDPR v. Australian Privacy Act (Data Guidance) (PDF) Australia Data Protection Laws (DLA Piper) China Personal Information Protection Law (PIPL) See related page European Union General Data Protection Legislation (GDPR) See related page Hong Kong Personal Data (Privacy) Ordinance See related page India Digital Personal Data Protection Act (DPDP), 2023 India enacted the Digital Personal Data Protection Act in 2023. ...

Hong Kong’s Personal Data (Privacy) Ordinance (PDPO) is the primary law governing data protection in Hong Kong, outlining the rights and obligations related to the collection, use, and transfer of personal data. The Personal Data (Privacy) Ordinance is managed by the Office of the Privacy Commissioner for Personal Data (PCPD) in Hong Kong. Further reading The Personal Data (Privacy) Ordinance

The Personal Information Protection Law (PIPL) is a data privacy law that governs the collection, use, and transfer of personal information within China. It was passed by the National People’s Congress and came into effect on November 1, 2021. Further reading Mainland’s Personal Information Protection Law (PCPD) Related pages Personal Data Privacy Ordinance

Adequacy decisions are determinations made by the European Commission that a non-EU country ensures an equivalent level of data protection. These decisions allow for the free flow of personal data from the EU to these countries without additional safeguards. Adequacy decisions are crucial for facilitating secure and legitimate international data transfers, while upholding data privacy standards. Further reading Adequacy decisions - European Commission A guide to international transfers - ICO Commission finds that EU personal data flows can continue with 11 third countries and territories - European Commission