What Is Data Privacy? Key Principles, Laws & Best Practices
What Is Data Privacy?
Data privacy is the right of individuals to control how their personal information is collected, stored, used, shared, and deleted by organizations. It is the principle that personal data belongs, in a meaningful sense, to the person it describes — and that organizations which collect and process that data do so only for legitimate purposes, with appropriate safeguards, and with respect for the individual’s rights and preferences.
Data privacy is distinct from data security, though the two are deeply interconnected. Data security is about protecting data from unauthorized access, breaches, and theft. Data privacy is about ensuring that data is used appropriately by those who are authorized to access it. An organization can have strong data security — robust encryption, strict access controls, no breaches — while still violating data privacy by using personal data for purposes the individual never consented to, retaining it longer than necessary, or sharing it with third parties without disclosure.
📌 TL;DR — Key Takeaways
• Data privacy is the right of individuals to control how their personal information is collected, used, and shared
• It differs from data security: security protects data from unauthorized access; privacy governs how authorized parties use it
• GDPR, CCPA, and HIPAA are the most significant data privacy laws globally
• Key principles: purpose limitation, data minimization, consent, transparency, and individual rights
• Organizations that handle personal data have legal obligations that extend beyond technical security controls
Data Privacy vs Data Security: Understanding the Difference
The relationship between data privacy and data security is best understood as overlapping but distinct disciplines. Data security is a technical domain: it encompasses the controls, systems, and processes that prevent unauthorized parties from accessing data. Encryption, firewalls, multi-factor authentication, access control policies, and intrusion detection systems are all data security measures. Data privacy is a legal, ethical, and governance domain: it defines who may use data, for what purposes, under what conditions, and with what transparency to the individuals whose data it is.
| Data Privacy | Data Security | |
|---|---|---|
| Focus | Appropriate use of data by authorized parties | Protection of data from unauthorized access |
| Domain | Legal, ethical, governance | Technical, operational |
| Key questions | Should we collect this? For how long? With whose consent? | Can unauthorized parties access this? Is it encrypted? |
| Governed by | Privacy laws (GDPR, CCPA, HIPAA) | Security frameworks (ISO 27001, SOC 2, NIST) |
| Failure consequence | Privacy violation, even without a breach | Data breach, even with lawful use |
Strong data security is a prerequisite for meaningful data privacy — you cannot protect individuals’ rights over their data if that data can be stolen by unauthorized parties. But security alone is not sufficient for privacy. Organizations must also govern how data is collected, what it is used for, how long it is retained, and with whom it is shared.
Why Data Privacy Matters
The significance of data privacy has expanded dramatically in the digital age, driven by the sheer volume of personal data that organizations now collect and the potential for harm when that data is misused. Personal data collected ostensibly for one purpose — a customer loyalty program, a job application, a medical appointment — can be used to discriminate, manipulate, surveil, or defraud individuals in ways they never anticipated when they provided it.
Beyond individual harm, data privacy has significant commercial implications. Organizations that fail to handle personal data appropriately face regulatory fines that can reach hundreds of millions of euros under GDPR, reputational damage that undermines customer trust, and civil liability from individuals whose privacy rights have been violated. The commercial case for data privacy is not just about regulatory compliance — it is about maintaining the trust that underpins customer relationships in a world where individuals are increasingly aware of, and concerned about, how their data is used.
The Core Principles of Data Privacy
Most data privacy frameworks, regardless of jurisdiction, are built on a consistent set of foundational principles that have evolved over decades of legal and policy development.
Purpose limitation requires that personal data be collected for specified, explicit, and legitimate purposes, and not used in ways incompatible with those purposes. An organization that collects email addresses to send order confirmations cannot then use those addresses for marketing without a separate legal basis. Data minimization requires that organizations collect only the personal data that is necessary for the stated purpose. The temptation to collect data broadly — “we might find it useful later” — is directly contrary to this principle.
Storage limitation requires that personal data be retained only as long as necessary for the purpose for which it was collected. Indefinite data retention is incompatible with most modern privacy frameworks. Organizations must define retention periods, implement deletion or anonymization processes at the end of those periods, and demonstrate that they do so consistently. Accuracy requires that personal data be kept up to date: decisions made about individuals on the basis of inaccurate data can cause serious harm. Transparency and fairness require that individuals be informed about how their data will be used in a way that is clear, accessible, and honest — privacy policies written in dense legal language that no ordinary person could understand are increasingly regarded as insufficient both legally and ethically.
The Major Data Privacy Laws
Data privacy is regulated by an expanding and increasingly complex body of law that varies by jurisdiction and sector. The General Data Protection Regulation (GDPR) is the most comprehensive and globally influential data privacy law in force. Enacted by the European Union and applicable since May 2018, GDPR applies to any organization — regardless of where it is based — that processes the personal data of individuals in the European Economic Area. Its requirements include a lawful basis for all data processing, explicit consent where required, mandatory breach notification within 72 hours, data subject rights including access, erasure, and portability, and privacy by design as a default engineering principle. Fines for serious violations can reach €20 million or 4% of global annual turnover, whichever is higher.
The California Consumer Privacy Act (CCPA), and its successor the California Privacy Rights Act (CPRA), gives California residents rights over their personal data broadly comparable to GDPR — the right to know what data is collected, the right to delete, the right to opt out of the sale of personal data, and the right to non-discrimination for exercising privacy rights. The Health Insurance Portability and Accountability Act (HIPAA) governs the privacy and security of protected health information (PHI) in the United States, applying to healthcare providers, health plans, and their business associates. Beyond these three frameworks, data privacy is regulated by dozens of national laws globally, including Brazil’s LGPD, India’s DPDP Act, Canada’s PIPEDA, Australia’s Privacy Act, and China’s PIPL.
Individual Rights Under Data Privacy Law
A defining feature of modern data privacy frameworks is the recognition that individuals have enforceable rights over their personal data, not just passive interests that organizations may choose to respect. The right of access gives individuals the right to know what personal data an organization holds about them and to receive a copy. The right to erasure — sometimes called the right to be forgotten — gives individuals the right to request deletion of their personal data in certain circumstances. The right to portability gives individuals the right to receive their data in a structured, machine-readable format and transfer it to another organization. The right to rectification enables correction of inaccurate data. The right to object allows individuals to oppose certain types of processing, including direct marketing.
For organizations, these rights create operational obligations: the ability to locate all data held about a specific individual, to delete it on request, to respond to access requests within defined timeframes, and to maintain records demonstrating compliance. Organizations that cannot operationalize these rights — because their data is siloed across systems, poorly catalogued, or technically difficult to delete — are at significant compliance risk regardless of how strong their privacy policies are on paper.
Lawful Bases for Processing Personal Data
Under GDPR and similar frameworks, every processing activity involving personal data must have a lawful basis — a legally recognized justification for collecting and using the data. The six lawful bases under GDPR are consent (the individual has given clear, specific, informed, and unambiguous consent), contract (processing is necessary to perform a contract with the individual), legal obligation (processing is required by law), vital interests (processing is necessary to protect someone’s life), public task (processing is necessary for a task in the public interest), and legitimate interests (processing is necessary for the organization’s legitimate interests, provided those interests are not overridden by the individual’s rights).
Choosing the appropriate lawful basis is not merely a paperwork exercise — it determines what rights individuals have with respect to the processing and what obligations the organization carries. Organizations that rely on consent must be able to demonstrate that it was freely given, specific, informed, and unambiguous, and must honor withdrawal as easily as it was given.
Privacy by Design: Building Privacy In
Privacy by design is the principle that data privacy should be embedded into the design and architecture of systems, processes, and products from the outset, rather than added as an afterthought. Developed by Dr. Ann Cavoukian and subsequently incorporated into GDPR as a legal requirement, it holds that privacy is most effectively protected when it is built into the default operation of a system.
In practice, privacy by design means that engineers and product managers consider data collection, retention, and sharing decisions at the design stage: what data is strictly necessary for the feature to function? Can the feature be designed to use less data? Can data be anonymized or pseudonymized rather than stored in identifiable form? Are retention and deletion mechanisms built into the data model from the start? These questions are far more efficiently answered at the design stage than retrofitted after a system is in production.
Data Privacy and Vendor Relationships
One of the most practically significant dimensions of data privacy regulation is its impact on vendor and supplier relationships. Under GDPR, when an organization (the data controller) shares personal data with a third-party service provider (the data processor), the controller must ensure that the processor provides sufficient guarantees about their data protection practices — typically through a Data Processing Agreement (DPA).
This requirement is a primary driver of the vendor risk assessments and security questionnaires that software vendors increasingly receive from enterprise customers. When a CISO or procurement manager sends a vendor a questionnaire asking about data retention policies, encryption standards, data residency, and sub-processor management, they are partly discharging their legal obligation under GDPR. A vendor’s ability to answer these questions clearly — ideally backed by a current SOC 2 report or ISO 27001 certification — is directly relevant to their ability to win and retain enterprise customers.
Common Data Privacy Violations and Their Consequences
Data privacy violations range from technical failures to deliberate misuse. The most common categories include unlawful data collection (collecting data without a valid legal basis or adequate notice), purpose creep (using data for purposes other than those disclosed at collection), failure to honor data subject rights (ignoring or unduly delaying responses to access or erasure requests), inadequate data processor management (failing to have appropriate DPAs in place), and unlawful international data transfers (transferring personal data across borders without adequate safeguards such as EU Standard Contractual Clauses).
Regulatory enforcement has become significantly more active in recent years. GDPR fines issued since 2018 total several billion euros, with major penalties against technology companies, financial institutions, and public authorities. Beyond fines, enforcement can include orders to stop processing, mandatory audits, and reputational damage from public decisions that attract widespread press coverage.
Building a Data Privacy Program
Organizations building or maturing their data privacy programs share several common foundational elements. A data inventory or Record of Processing Activities (ROPA) — required by GDPR Article 30 — maps what personal data the organization holds, where it came from, what it is used for, where it is stored, and with whom it is shared. This inventory is the foundation for everything else: you cannot manage data you cannot see.
Privacy impact assessments (PIAs) or Data Protection Impact Assessments (DPIAs) evaluate the privacy risks of new projects and processing activities before they are implemented. A DPIA is mandatory under GDPR for high-risk processing. Privacy notices must be accurate, comprehensive, and written in plain language. A consent management platform gives individuals the ability to manage their privacy choices. And incident response procedures specific to personal data breaches ensure that notification obligations can be met within the tight timeframes that GDPR and other regulations impose.
A Note on Data Privacy in Software Vendor Relationships
For software vendors who receive security questionnaires and vendor risk assessments from enterprise customers, data privacy questions — about GDPR compliance, data retention, sub-processors, international transfers, and DPA availability — are among the most frequently asked. Steerlab.ai helps vendors respond to these assessments efficiently, drawing from a centralized knowledge base of approved answers so privacy and legal teams can focus on substance rather than repetitive drafting.
Frequently Asked Questions
What is data privacy?
Data privacy is the right of individuals to control how their personal information is collected, stored, used, shared, and deleted by organizations. It encompasses both individual rights and organizational obligations, and is governed by laws including GDPR, CCPA, and HIPAA.
What is the difference between data privacy and data security?
Data security protects data from unauthorized access, breaches, and theft. Data privacy ensures that data is used appropriately by those who are authorized to access it. Both are necessary: security without privacy means authorized parties can still misuse data; privacy without security means unauthorized parties can access it.
What is GDPR?
GDPR (General Data Protection Regulation) is a European Union law, in force since May 2018, governing the collection, use, and protection of personal data of individuals in the EEA. It applies to any organization worldwide that processes the personal data of EU residents. Fines for serious violations can reach €20 million or 4% of global annual turnover.
What rights do individuals have under data privacy laws?
The most significant rights recognized across multiple jurisdictions include the right of access (to see what data is held), the right to erasure (to request deletion), the right to portability (to receive data in a transferable format), the right to rectification (to correct inaccurate data), and the right to object to certain types of processing including direct marketing.
What is privacy by design?
Privacy by design is the principle that data privacy should be embedded into systems, products, and processes from the outset, rather than added as an afterthought. It is a legal requirement under GDPR and involves making decisions about data minimization, retention, and anonymization at the design stage rather than retrofitting them into existing systems.
Why do enterprise software vendors receive data privacy questions in security questionnaires?
Under GDPR and similar frameworks, organizations sharing personal data with third-party vendors must verify that those vendors provide adequate data protection. This obligation is discharged through vendor security assessments that include questions about data retention, sub-processors, international transfers, DPA availability, and GDPR compliance status.
What is a Data Processing Agreement (DPA)?
A Data Processing Agreement is a contract required under GDPR between a data controller and a data processor. It specifies the subject matter, duration, nature, and purpose of processing, the type of personal data involved, the categories of individuals affected, and the obligations and rights of both parties.
What are the most common data privacy violations?
The most common violations include collecting data without a valid legal basis, using data for purposes other than those disclosed at collection, failing to honor data subject rights within required timeframes, failing to have appropriate DPAs with vendors, and transferring personal data internationally without adequate safeguards such as EU Standard Contractual Clauses.
