Business data vs personal data: what’s the difference?
Does business data count as personal data under the GDPR?
Data ownership can be a hazy concept for some online businesses. For example, users will always own their names and addresses, but who owns the data about their activity on the websites they use — is it the owner of the website, or the users who comprise the data?
If your app or website collects personal data from users too, it might not always be clear who owns this data — and thus, who is responsible for protecting it. But before we can begin to answer this question, let’s get clear on what “ownership” really means.
According to Techopedia, data ownership is defined as:
“the act of having legal rights and complete control over a single piece or set of data elements.”
These legal rights include creating, editing, modifying, sharing and controlling access to the data, as well as the ability to delegate, share or transfer these right to a third party.
At the time of this article, there is no catch-all legislation around data ownership. However, laws like the GDPR are starting to more clearly define ownership and protect the rights that individuals have over their personal data.
The GDPR begins by defining personal data as:
any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
In practice, this means information like names, email addresses, phone numbers, location data, and photos — as long as they can identify an individual in some way — all count as personal information.
The laws state that “data subjects” — i.e. your customers — will always maintain ownership over any personal data they share with you. To give data subjects more control over their privacy, the GDPR prescribes the following rights (which your business may need to comply with):
In the past, many organisations have taken advantage of the gray areas surrounding data ownership. As a result, consumers may have put their privacy at risk by blindly consenting to terms of service agreements that increasingly encroach on their rights.
An infamous example is FaceApp — an app where users upload selfies and edit them to change gender or to look older or younger. Following its initial viral success, users discovered that the terms of service they had agreed to granted the company “irrevocable” access to use their personal data in a multitude of ways.
This was particularly concerning to privacy advocates, as the app developers now had access to the biometric data of thousands of people. As a user of the app, you’d still own your photo and personal details, but by agreeing to their terms of service, you agreed to give the app’s parent company a license to use your data for any purpose they wish.
We now live in a post-GDPR world, a world of of growing privacy awareness in an age of increasingly sophisticated technology. While the legal intricacies around data ownership can be tricky to navigate, businesses are now more than ever held up to scrutiny on the information they collect and how responsibly they protect it.
Communicating openly with your customers and putting their privacy at the forefront of your app or website isn’t just respectful practice, it’s a proactive start in protecting their data (and your business).
Get your app, website or blog ready for launch with GetTerms.io. Generate your Terms of Service now.