Blog/Infosec 101/

What is data privacy and why is it important?

Elisa Armstrong

Elisa Armstrong


Jan 02, 2023


12 min read

Jump to section

Privacy is freedom from unwanted or unpermitted observation. When we talk about data privacy, we usually mean personal data privacy: the expectation that our personal information is not shared without our consent.

Personal data

Data is another word for information. When we call it “data,” we usually mean digital traces of that information. When the data is categorized as personal, it’s about us. In this section, we’ll cover four types of personal data:

  • Personal identifiable information (PII)

  • General or biographical personal data

  • Behavioral data

  • Biological data

Personal identifiable information

Personal identifiable information (PII) is any piece of information that can be tied to you directly. Your full name, passport number, home address, and email address are all examples of personal identifiable data.

Your LinkedIn profile, your Amazon account, and most apps on your phone are all rich resources for personal data. Chances are you have trusted the internet with your personal data on hundreds if not thousands of occasions — each time you have ticked “agree” on a terms and conditions checkbox. But you are not the only source of your personal identifiable information.

PII can also be financial or medical in nature. For example, your credit card number and health insurance beneficiary numbers also qualify.

In general, formal distinctions of types of data are useful insofar as they relate to data privacy legislation, which depend on where organizations and their clientele are located.

In the United States, personal medical data is a distinct category, called protected health information (PHI). Dates of medical procedures, your birthday, and medical record numbers are formally called PHI so that they can be protected by HIPAA.

Biographical data

Biographical data, sometimes called “personal data,” is more general. This category pertains to data collected about you that’s not specific to you and only you.

Your ethnic background, religion, country of residence, and workplace are some examples. Though not identifying in itself, you might consider some of the information in this category to also be private, especially when it’s stored alongside PII.

Behavioral data

What you do online can also be part of your personal data when it’s quantified and collected. In general, websites require fewer or no permissions from you when the data collected is anonymized. Most often, they collect this data for marketing purposes.

Biological data

What you are is also considered data. Beyond what you look like in pictures or on video, the unique physical characteristics that can be used to identify you — such as your bone structure, fingerprints, or the patterns in your iris — are called biometrics. Because they are by nature unique, biometrics are always PII, which is why they can be used for authentication.

As you can tell, when personal data points are combined, they can paint a detailed picture of who you are and what you do — both online and in life.

Beyond the personal: other types of private data

When we move away from what’s strictly personal, a broader conversation about data privacy will inevitably touch on “sensitive data,” which can apply to information that individuals or organizations want to keep from becoming public.

Usually, when data is called sensitive, that indicates its high value — to both its owners and to others, including cybercriminals.

  • Individuals may have vastly different definitions of private or sensitive data. Examples could include family photos, journal entries, text messages, or an unfinished manuscript.

  • For government organizations, sensitive information might pertain to national security, for example, the location of a military base.

  • Private businesses might consider their secret sauce recipe, product strategy plans, or contracts to be sensitive data.

However, just like protected health information, what’s considered sensitive data can also be a formal category that is defined by the law.

Data privacy and data security: What’s the difference?

The terms data privacy and data security are sometimes used interchangeably and occasionally, incorrectly. That can make it difficult to know what situations they apply to. So before we dive deeper, let’s set the record straight.

  • Privacy, as we talked about in the first section, is about concealing information about you or what you do. Curtains on your window provide privacy even when people know where you live. Online, a VPN works the same way. By encrypting your connection to the internet, it prevents snooping by advertisers and cybercriminals. With a VPN, no one can see your location, device information, or browsing activity.

  • Security is protection from or resilience against threats. Steel roller shutters on storage lockers and store windows (or “hurricane shutters” as they’re sometimes called) provide both privacy and security.

  • Cybersecurity is protection against digital threats and mitigation of their damage. This term can also be applied to systems, networks, and programs. A password manager protects your online accounts, for example, by making it much more difficult for cybercriminals to gain entry by exploiting weak and reused passwords.

  • Information security (also called data security) refers specifically to the protection of data or information. Because data is largely kept in digital spaces, you can interpret information security as a subcategory of cybersecurity. NordLocker’s encrypted cloud bolsters both cybersecurity and information security.

  • Online privacy and digital privacy are broad terms that usually refer to individuals’ data privacy while online.

  • Digital rights refer to the application of human rights in the digital realm, which is very likely to involve privacy.

Why should you care about data privacy?

Practical concerns

To understand the importance of data privacy, it’s helpful to understand the risk of not having it. A violation of privacy involves your data being in the “wrong hands.” Who or what entity has taken your data and for what purpose determines the consequences of the breach.

Consequences for individuals

When your data is stolen or used without your consent by a malicious actor, it can be used to spy on you, manipulate you, discriminate against you, and/or steal from you. Not strictly limited to cybercriminals, a malicious actor can be any person or entity who is using your data in a way that you have not agreed to.

The United States’ National Security Agency’s unlawful telephone records surveillance and the Facebook-Cambridge Analytica political advertising scandal are two memorable examples of large-scale data privacy violations that threatened civil liberties.

On a smaller scale, you may be personally targeted, either by someone you know or a financially motivated cybercriminal. For example:

  • our online diary could be hacked by your frenemy, causing you embarrassment or reputational harm.

  • A cluster of your PII might be collected by a criminal to spoof your identity, subjecting you to a lengthy legal battle or piles of paperwork to restore it.

  • Your credit card number could be stolen, putting you on the hook for purchases you never made.

Consequences for businesses

Businesses share many of the same concerns as individuals, including reputational and financial losses, but on an even greater scale. A data breach that makes headlines can stay in the public consciousness long after it's addressed. And that’s aside from the financial burden associated with recovery which has reached an all-time high this year at $4.35M.

When businesses keep stores of personal data from clients or consumers, they carry an additional burden: respecting the law.

Failing to meet legislative compliance, otherwise known as breaking the law, can result in fines and, in some cases, jail time for executives. We’ll address this topic in detail in the next section.

Today, financially motivated cybercriminals are the biggest threat to businesses and institutions’ data privacy.

In recent years, the rise of ransomware — the criminal practice of holding access to files for ransom — has been of particular concern. Breaches caused by ransomware have grown an impressive 13% year over year, which is an increase greater than the last five years combined.

And to be clear, cyber threats are not only a risk to “big fish.” According to NordLocker’s own research, small and medium-sized businesses are the top targets of ransomware attacks

In addition to “external threat actors,” businesses also have to be vigilant about the risk of “insider threats.” In other words, mistakes or mishaps involving their own employees.

Have you ever realized, only after pressing “send,” that you texted or emailed sensitive information to the wrong person? In a corporate context, this is called misdelivery, and it is among the top actions associated with data breaches caused by human error in 2022.

Privacy as a human right

On many occasions a lack of privacy does not result in immediate danger or consequences. However, you might still want to protect it. If you value privacy for reasons beyond how useful it is — at preventing cybercrime, for example — that probably means you believe privacy has value in its own right.

The reasonable expectation of privacy has a long history, but the topic has renewed relevance today for a number of reasons.

For one, a dramatic evolution in information technology has all but necessitated that internet users pay more attention to this topic. Never has data been more available: Our use of a growing number of web-connected devices means practically everything we do and say can be recorded. In parallel, it has never been easier to store, manage, and interpret that data.

What’s more, a series of now-infamous data privacy violations have brought the need to protect it into sharp focus. This year, global Google searches for “data privacy” hit their highest volume ever.

Before the concept of data privacy gained mainstream recognition, a European human rights organization founded Data Privacy Day to raise awareness. Data Privacy Day is celebrated on January 28th and is observed by more than 50 countries, including the United States.

Objections to the need for data privacy

A common and very old objection to the right to privacy is the “nothing to hide” argument. It can be summarized this way: If you haven’t done anything wrong, you have nothing to hide. And with nothing to hide, you have no need for privacy.

Critics object to this argument. One counter-argument is that regardless of your personal feelings on privacy, it still makes sense to respect and protect others’ desire for privacy. Edward Snowden articulates this position with an apt analogy:

A more pragmatic argument supporting the right to privacy is that what and from whom you want to “hide” certain information can change over time.

At the top of this section, we discussed what can happen when data gets into the “wrong hands.” Depending on your country of residence, you might consider the government a trustworthy entity that always has its citizens’ best interests at heart. However, a new statesperson or law could change that.

In a tyrannical government, for example, legislation might be out of step with ethics. So, for example, you may not be doing anything “wrong,” but that same action might be punishable by law.

What laws govern data privacy around the world?

We can look at data privacy legislation in two ways. On one hand, you are the owner of data, in which case you are protected by the law whether or not you read the terms and conditions for every app you download.

On the other hand, you might be a keeper of data as well. Many professions involve working with or having access to personal or private data. In this case, you are bound by data privacy laws.

Since the 1990s, technology has evolved faster than legislation surrounding it. Even still, most countries have implemented, or are in the process of implementing, laws that protect personal data. That is, at least in part, because consumers demand it.

What these laws have in common is their goal: to compel businesses to provide more transparency and agency to individuals over the data that is collected about them.

Usually the legislation defines:

  • Which kinds of data are protected by law

  • How it can be collected

  • What counts as consent

  • For what purpose the data can be kept and used

Almost always, the laws are “extraterritorial” — they protect the data of residents of their country even when the businesses collecting data operate outside of that country. That means Europe’s data privacy law, the GDPR, applies to American companies when they are handling personal data from people living in the EU.

Where the laws tend to diverge is their degree of specificity, application, defined roles, and penalties. The following is merely a glimpse at some of the data privacy laws that exist around the world.

The United States

While lawmakers have made many endeavors, the US does not currently have a federal law concerning data privacy.

The most current iteration is a bill called the American Data Privacy Protection Act (ADPPA), which takes legislation of data privacy further than its predecessors.

Despite the US not having a general data privacy law, personal health and financial data is protected by HIPAA (The Health Insurance Portability and Accountability Act of 1996) and the GLBA (The Gramm–Leach–Bliley Act) respectively.

Without a federal law, personal data privacy legislation is up to each state. On this front, California’s data privacy law has led the charge. The CCPA (California Consumer Privacy Act) is similar to Europe’s robust GDPR.

Under the CCPA, consumers residing in California can bring civil action against businesses in the event of a data breach. The breaches must involve specific pieces of PII combined with the consumer’s name.

Since its enactment in 2020, three more states have followed suit with similar legislation. Virginia's Consumer Data Protection Act (CDPA), Colorado’s Privacy Act (CPA), and Connecticut's Data Privacy Act (CTDPA) will take effect in 2023.


The GDPR (General Data Protection Regulation) is arguably the most influential data privacy legislation in the world. It is robust in its protections and, especially at the time of its enactment, considered to be the toughest legislation protecting personal data privacy in the world. Since coming into force in 2018, it continues to inspire similar laws around the globe.

One of the hallmarks of the GDPR is the requirement for businesses to get express consent, “by a clear affirmative action” from their patrons for data collection. This requirement was a crackdown on marketing and sales initiatives that took for granted users’ consent to a business sending them emails or tracking their behavior with cookies.

In its 99 articles, the GDPR legislation defines the roles of “controller” and “processor” as well as their responsibilities.

The GDPR applies to all residents of countries in the European Union, including Austria, Belgium, Bulgaria, Croatia, Cyprus, the Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, the Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, and Sweden. Notably, unlike the state laws that specify data quantities or profit thresholds, small businesses are not excluded from the GDPR.

The penalty for a severe violation can reach 20 million euros or up to 4% of the business’ global turnover during the previous year, whichever is higher. In recent years, fines issued have increased, with tech giants among the hardest hit.

Because it is far reaching and among the oldest laws of its kind, it is often used as a benchmark against which new data privacy laws are compared and contrasted.


Australia’s Privacy Act applies to government organizations and businesses with a turnover exceeding three million annually. In addition to personal information, the act regulates credit reporting, tax numbers, and medical data.


Belarus’ Law on Personal Data Protection will enjoy its one year anniversary of enforcement on November 15, 2022. It is the country’s first law that pertains specifically to personal data protection. The law includes criminal penalties such as jail time for serious or intentional violations.


Brazil’s General Data Protection Law, called the Lei Geral de Proteção de Dados (LGPD), is perhaps the most well known data privacy legislation in South America.

The law is very similar to Europe’s GDPR, but not identical. One key difference is data security regulation. The measures to protect data are less specific under the LGPD than the GDPR.


Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) has been in effect since 2001. The act uses a broad definition of personal data that include opinions, comments, and intentions.

While it has been updated through the years, many argue that it is due for a significant review. One complaint of the regulation is that its financial penalties are too low to compel businesses to comply.

The proposed Consumer Privacy Protection Act (CPPA), if passed, would represent a complete overhaul of the legislation including much harsher fines.


China’s Personal Information Protection Law (PIPL) came into effect in November of 2021. The PIPL has strict consent requirements, a generous definition of “sensitive data,” and harsh penalties. Fines can reach up to 5% of a business’ annual turnover, and any infringements may be recorded in the country’s social credit score.


Like much of the legislation discussed already, Egypt’s Personal Data Protection Law (PDPL) is similar to Europe’s GDPR — with a few key differences.

In effect from October 2020, the PDPL sets shorter timelines for data breach notification and responding to subjects’ requests for access to their data. The former should be done in no more than three days, and the latter within six.

Additionally, for violations deemed both intentional and severe, jail time may accompany sanctions


Enacted back in 2003, The Act on the Protection of Personal Information (APPI) was one of the first data protection laws in Asia. It has been dramatically amended since that time.

In 2019, Japan earned an “adequacy decision” from the European Commission — they determined that the law provides an equal amount of protection as the GDPR.

Similar to the GDPR, there is no small business exclusion. Financial penalties for violation max out at the equivalent of less than one million dollars, but may also include imprisonment.


Turkey’s Law on the Protection of Personal Data (LPPD) defines four additional legal bases for collecting personal data than the GDPR, for a total of ten. And while both the GDPR and LPPD require reporting data breaches to relevant authorities, the LPPD demands only a “reasonable” timeline, versus the GDPR’s stricter 72 hours.

Korea, Switzerland, the United Kingdom, and New Zealand have also received an adequacy decision from the European Commission, indicating that their data privacy laws are at least as strong as Europe’s.

Ukraine and Indonesia have both drafted data privacy legislation, but neither country has enacted it yet.

If a country has no dedicated or recent data privacy law, that doesn’t mean that it has no laws protecting personal data privacy. Rather, it means that online activities are subject to “offline” legislation.

However, because of the vast differences in scale and approach to data collection in person and online, laws that don’t specifically address the digital landscape tend to be less powerful than those that only protect offline privacy. As a result, it is unlikely that they can offer as much protection to citizens.

What can you do to protect data privacy?

Protect yourself

One of the best ways to keep your data private is to limit the private information you share. In other words, before disclosing your private information to a website or app, stop to question whether you have a reason to do so. Be suspicious of requested permissions that seem irrelevant to the product or service you are using.

Assuming you don’t have a spare 250 hours a year to comb terms and conditions for every web service you use, you should only provide private information to apps and websites that you trust.

Finally, enhancing your cybersecurity can protect privacy — like putting a lock on a closed door. Excellent cyber hygiene can reduce the risk and mitigate the damage of having your data privacy violated through malware, spyware, phishing, and other types of cyberattacks.

Here are some simple steps you can take to keep your data private.

Protect your business

For organizations, the same data privacy principles discussed above apply but on an even larger scale. Why? Organizations handle more data and have a larger attack surface because of complex IT infrastructures. And since data is currency for cybercriminals, businesses are top targets — increasing the risk that any vulnerability will be promptly exploited.

For that reason, it might be helpful for businesses and organizations to consider addressing data privacy with a more holistic approach to information security.

A good place to start is by addressing the three core tenets of data security: The CIA Triad stands for confidentiality, integrity, and availability.

  • Confidentiality is similar to privacy. It ensures that intruders or unauthorized members are kept out of your data.

  • Integrity protects the data itself from being altered or damaged.

  • Finally, availability ensures the data is not destroyed and that those who need access can get it.

How NordLocker can help

If the idea of a stranger rifling through your most private notes, documents, and photos gives you the heebie-jeebies, NordLocker can help you protect your personal data privacy. At work, NordLocker for business can help protect both the confidentiality and availability of your data.

NordLocker is a private vault with secure cloud storage for your data. It encrypts your data in an instant before syncing and backing it up — making your files readily available to you but out of reach to intruders.

With NordLocker, you are the owner of your data and no one, including us, can get access. That means your files are protected from cybercriminals, surveillance, malware (including ransomware), and anyone you don’t give access.

The software is backed by the highest global security standards and uses:

With NordLocker, you can store and encrypt files of any type without being slowed down: simply drag and drop. Once your files are added, you remain in control, with the option to:

  • Save them locally or in your secure cloud storage

  • Organize files into lockers and folders

  • Share them privately whenever you like

  • Get access from anywhere

In addition, NordLocker for business provides access to your entire organization via a handy Admin Panel and the ability to manage it with customizable Groups, permissions, and sharing settings.

Elisa Armstrong

Elisa Armstrong

Verified author

Elisa’s all about languages. She speaks five, loves stand-up comedy, and is writing her first novel. Besides her extensive knowledge of cybersecurity, she’s an expert in persuasion techniques hackers use and strives to teach people how to avoid online scams.