Businesses and organisations often view data protection as a regulatory burden, which requires more effort than there are benefits. Yes, it ensures the safety of personal data, but some may wonder: is it worth the mammoth undertaking that is involved in achieving compliance with data protection legislation? And how many times does one have to ask “do I need consent to process this personal data”?
Instead of going haywire over these questions or even worse, avoiding them in the hopes that your organisation may just be lucky enough to escape the unrelenting grasp that is data protection law, let us get into the heart of data protection and look into its importance beyond regulatory compliance, because in doing so, we may just find the answers to our questions.
Why data protection?
Now, you might think this is an easy one and that data protection is about protecting an individual’s data by ensuring there are mechanisms in place to prevent it from unauthorized and unlawful access – something along those lines anyway. Though this is largely true, it’s important we understand why we look to ensure the privacy, integrity and confidentiality of personal information.
Well, in short, it’s because in doing so, we are trying to protect the fundamental rights and freedoms of persons that are related to that data.
Data is immensely valuable, at times referred to as the new-age gold or, the new oil. And if the clichés don’t speak to you about how valuable data is, just remember that it can be used to help us understand and defeat disease and injury, anticipate and prevent crime, and develop empirically proven techniques and technologies for fostering human development and poverty reduction and much more.
But on the flip side, all this data can also lead to harmful intrusions and interferences with people’s private lives. It can give those who are in control of data a power over people in a potentially dangerous way for society and democracy.
Moreover, in recent decades, the ability to control the use of personal data has been recognised as an essential element to safeguarding other closely related rights, including freedom of expression, non-discrimination and the right to privacy. In some states and institutions, there have even been advancements towards the recognition of data protection as a distinct and separate human right. But whether as a component of the right to privacy or as a separate human right, strong and effective data protection also helps protect other human rights.
Recognising the undeniable risk personal data poses to individuals, a set of guiding principles were developed to ensure that personal data could be processed without violating human rights. This is what we now call data protection. By the early 1980s, these principles had been codified in two international texts: the OECD guidelines on privacy and transborder data flows and Convention 108. These guidelines have inspired many international, regional and nation regulations on privacy and data protection. Today, nearly all OECD countries have enacted privacy laws.
Privacy and data protections rights: two sides of the same coin?
The terms data protection and privacy are at times used interchangeably. But the right to privacy stretches beyond the use of personal information, it covers things like your right to determine your sexual orientation, your lifestyle, and your beliefs. This means that governments cannot do things like interfere in aspects of your life deemed separate from so-called public life, unless it is in accordance with the law and necessary in a democratic society.
The two concepts are, however, interrelated. This is because the way personal data is used can ultimately lead to a restriction on aspects of an individual’s personal life that are safeguarded under the right to privacy.
Without a legal framework underpinning the use of personal information, governments can conduct mass surveillance, paving the road for them to identify and target political opponents, for example, or people living with HIV/AIDs. In countries with political and ethnic tensions, the collection of information such as, sexual orientation, political opinion and beliefs can result in physical risks for the people involved.
Recognizing how personal data is vital to the safeguarding the right to privacy and all its nuances, in 1988, the UN Human Rights Committee for the first time recognised personal information as a part of the right to privacy, stating, “the gathering and holding of personal information on computers, data banks and other devices, whether by public authorities or private individuals or bodies, must be regulated by law”.
Over the past few decades, more states and international organisations began to recognise this interdependence, reaffirming that security of personal data is a key aspect of the right to privacy.
How data protection stops discrimination
Non-discrimination is a fundamental element of international human rights law. A useful definition of non-discrimination is contained in Article 1(1) of the International Labour Organization Convention n°111, which provides that discrimination includes: “Any distinction, exclusion or preference made on the basis of race, colour, sex, religion, political opinion, national extraction or social origin, which has the effect of nullifying or impairing equality of opportunity or treatment in the employment or occupation.”
Strong data protection ensures that the individual remains in control of information which could result in discrimination. It prevents individuals from being subjected to unequal treatment, disadvantage or harassment based on their personal characteristics.
It should be noted, however, that it is not just the existence of personal data that may result in discrimination, but also its use, particularly where individuals are profiled based on their personal information. Both state actors and private firms utilise profiling for various purposes, including for making decisions on how an individual should be treated, what services they are offered and under what conditions. But what happens when someone due to the possession of a specific trait, receives less favourable treatment when profiled. Bias is an element of the human thought process, so naturally data collected from humans and then fed into profiling software’s will also result in a skewed judgment.
Understanding that pre-existing biases in data collected from humans will be trained into the software, possibly leading to catastrophic results, both the EU’s GDPR and the UK GDPR, for example, gives all data subjects the right not to be subject to a decision based solely on automated processing, including profiling, which significantly affects them or produces legal effects concerning them.
Therefore, while efforts continue to try to de-bias data fed into profiling software, data protection legislation offers individuals a manner in which they can under their own steam reinforce their right to non-discrimination.
A critical element to freedom of expression in a digital environment?
Article 19 of the Universal Declaration of Human Rights, Article 19 of the International Covenant on Civil and Political Rights, as well as other regional human rights agreements, ensure the right to freedom of expression. The freedom to gather, exchange, and obtain information, ideas, and opinions in any media are all aspects of this right.
The rights to freedom of expression and access to information are critical to meaningful democratic participation and civic engagement. The inability to freely express oneself has a direct impact on democratic participation since it limits an individual’s engagement in political discussions and the capacity to influence others, especially during periods of political upheaval, as well as limiting engagement in civic spaces.
In some situations, the ability to remain anonymous when expressing particular types of speech, thoughts, or other expression can be crucial. This is because sometimes people may only express themselves freely online where they can remain nameless, especially in situations where making certain opinions can result in retaliation or persecution.
Therefore, like encryption, anonymity creates a safe space for people to express themselves and freely. Yet, in some parts of the word it has becoming increasingly difficult to remain anonymous and express thoughts freely due to invasive data collection policies and technologies.
For instance, under the guise of anti-cybercrime, anti-fraud and anti-terrorism efforts, at least 50 African countries have enacted laws that require individuals to register their personal information with network providers before they activate a SIM card, leading to the creation of extensive databases of user information, and eradicating the potential for any anonymity of online communications. 
International organisations and human rights activists have long voiced their concerns about whether these policies deter individuals from exercising their right to freedom of expression for fear of legal consequences. Often, lack of data protection legislation is cited as the reason why governments can cross-reference SIM users’ information with other private and public databases and create detailed profiles of people. This is because with stronger data protection the civil society can push back against these invasive laws and hold governments accountable where they deem their activities disproportional or unnecessary.
Fundamentally, data protection law is about striking a careful balance between the rights of the individual and the rights of organisations, the government, and society. It establishes a human-rights-based-approach to the collection, storage, use, and dissemination of personal data. Therefore, next time you find yourself asking ‘why am I completing a data protection impact assessment?’, remember that these positive obligations placed on organisations and state actors are there to protect only the most fundamental rights, that do not start nor begin with data protection, but are inherent to every human life.