Data and information might seem synonymous, but from a business perspective, they need to be treated in different ways. The relative sensitivity of the data and information you collect can have a huge impact on how you store it, what you can do with it, and how long you can keep it for.

Understanding the difference between the two is important to handle them properly, and provide the security and transparency that customers and clients increasingly expect. Here’s a rundown of the differences between information and data, and what your business needs to know to comply with data protection laws.

What’s the difference between information and data?

The key difference between data and information is that data is a part, and information is the whole. An example of data might be a large spreadsheet filled with your customers’ dates of birth. This is useful data to find out what your demographics are, but it doesn’t tell you anything without processing it in some way, or comparing it to other data.

The use of data is widespread, and vital to how many businesses improve their services, and hone in on their target markets. When data is processed or presented together for these purposes, it becomes information. If you were to add all of those customer ages together and use them to calculate the average age of your customer base, it would lose its anonymity and become information – allowing you to use it to make informed decisions.

When is data personally identifiable?

Data can become personally identifiable when multiple different datasets are correlated together, becoming a form of information. If you store someone’s name and date of birth together, for instance, this might be enough to identify that person, and tie them back to your business. A malicious actor who accesses this information could use it to track down and contact that person, or even assume their identity.

Data such as names, personal identification numbers, street addresses, biometric data, and telephone numbers can all be personally identifiable even in the absence of correlatory data. This information should be treated with the utmost care under the UK Data Protection Act and parallel GDPR regulations. In simple terms, this means storing and accessing it securely, and only keeping it for as long as is necessary.

Some data, such as someone’s date of birth, religion, or race, is not enough by itself to identify a person. However, the sensitivity of this data means it should still be treated as private information. Where it is legally collected, such data should be anonymised to remove any additional data points that could make it personally identifiable.

What are the dangers of a data breach?

Data breaches can happen anytime there is a lapse in your cybersecurity protocols. This doesn’t just include things like where the data is stored or how it is encrypted, but the way you and your employees behave on a day-to-day basis. Something as innocuous as an insufficiently complex password, losing a USB drive or using a public WiFi connection could all potentially compromise customer information.

A breach of a person’s individually identifiable information could be very harmful. It could result in the person having their identity stolen, having their bank accounts compromised, being blackmailed, or having sensitive information about them released. Such a breach would also be damaging to your company’s reputation, and could even result in a fine from a data protection regulator.

Losing employee information is not only a breach in their privacy, but also a sure-fire way to destroy their trust. It will likely cause a loss in productivity, and for individuals to question their loyalty to the business, particularly given the highly competitive jobs market of today. Confidentiality builds loyalty between employer and employee, and company owners have an obligation to keep staff information secure.

How to protect information and data

When dealing with sensitive and personal information, you should:

• Only collect and share when necessary. The Data Protection Act and GDPR (which it inherited) both stipulate that data must only be collected for a justifiable reason, and that the data collected should be limited to what’s necessary for that reason. This will limit the impact of any breach, and make it easier to catalogue and protect.
• Use strong passwords and two-factor authentication. Password security is the biggest culprit in data breaches, thanks to many people’s habit of using the same password or very simple passwords for critical user accounts. Using long passphrases or an enterprise password manager solution are both good solutions to this problem.
• Don’t use accounts on personal devices. Accessing accounts containing user data from devices that haven’t been secured by your IT staff runs the risk of malware being present, or other issues which may compromise the security of those accounts. Customer and employee data should only exist in a closed system managed by qualified IT experts.
• Keeping data safe is everyone’s responsibility. Data security isn’t just down to the IT department or your IT services provider, but to each individual who works with IT (which in a modern workplace is almost everyone!). Regular training can help to instil good IT security practices, while software can make it easier to apply security protocols.

—

Sota are specialists in data protection. If you are dealing with more complex issues, or would simply like more information, please don’t hesitate to get in touch.