Skip to main content
data privacyGDPRCCPAPIIdata protectionprivacy compliancedata governance

What Is Data Privacy?

Data privacy refers to the rights of individuals to control how their personal information — name, location, health data, financial records, behavioral data, and any other information that can identify them — is collected, stored, used, shared, and deleted. At the organizational level, data privacy is the set of policies, technical controls, and governance practices that protect individual privacy rights and comply with the legal frameworks that enforce them.

Data privacy has moved from a compliance footnote to a boardroom priority, driven by the proliferation of personal data in digital systems, high-profile breaches and misuse cases, and an increasingly strict global regulatory environment. GDPR fines have exceeded €4 billion since 2018. The California Consumer Privacy Act has spawned similar laws in more than 20 US states. Privacy is no longer an issue for the legal team alone — it is an engineering, data architecture, and governance discipline.

TL;DR

Data privacy is the right of individuals to control their personal data, enforced through laws like GDPR and CCPA. For organizations, it requires knowing what personal data exists (via a data catalog with classification), where it flows (lineage), who can access it (access control), and how to respond to rights requests. Privacy compliance is impossible without the data governance infrastructure to answer these questions.

Data Privacy Defined

Data privacy is distinct but related to two neighboring concepts:

  • Data privacy vs data security — Security protects data from unauthorized access (breaches, attacks). Privacy governs authorized use — ensuring that even people who legitimately access data use it only for purposes the individual consented to. A company can have excellent security but poor privacy practices.
  • Data privacy vs data protection — In legal usage, "data protection" is often the European term for what the US calls "data privacy." GDPR is formally a "data protection" regulation. The terms are functionally synonymous in most business contexts.

Personal data (also called personally identifiable information, or PII) is the central concept. Regulations define it broadly: any information that can identify a living individual, directly (name, email, national ID) or indirectly (IP address combined with timestamp, device fingerprint, location data precise enough to identify a home). Pseudonymized data — where direct identifiers are replaced with random codes — may still be personal data if re-identification is possible.

Key Privacy Regulations

GDPR (EU General Data Protection Regulation)

In force since May 2018. Applies to any organization that processes personal data of EU residents, regardless of where the organization is based. Key requirements: lawful basis for processing, purpose limitation, data minimization, accuracy, storage limitation, individual rights (access, erasure, portability, objection), privacy by design, and accountability documentation. Maximum fine: €20 million or 4% of global annual turnover, whichever is higher.

CCPA / CPRA (California Consumer Privacy Act / Privacy Rights Act)

California's privacy law (effective 2020, strengthened by CPRA in 2023) gives California residents rights to know what data is collected, opt out of sale, delete data, and correct inaccurate data. Less prescriptive than GDPR on legal bases for processing, but significant in scope — California's GDP makes it effectively a US national standard for any company doing business there.

Sector-Specific Regulations

HIPAA (US health data), COPPA (US children's data), PCI-DSS (payment card data), SOX (financial records), and many others impose privacy and data handling requirements on specific categories of sensitive data. Multinational organizations must map their data against all applicable frameworks — a task that requires knowing what data they have and where it lives.

Core Privacy Principles

Despite their differences, most privacy regulations share a common set of principles:

  1. Lawful basis — Processing must have a legal basis: consent, contract performance, legal obligation, vital interests, public task, or legitimate interests. "We collected the data, so we can use it" is not a legal basis.
  2. Purpose limitation — Data collected for one purpose cannot be freely repurposed. Marketing data cannot be used for employment screening without additional legal basis.
  3. Data minimization — Collect only what you need. Storing excess personal data increases breach risk and compliance burden with no corresponding value.
  4. Storage limitation — Personal data should not be retained longer than necessary. Organizations need documented retention policies and technical controls to enforce them.
  5. Individual rights — Individuals have rights to access their data, correct it, delete it (where applicable), and understand automated decisions made about them. Organizations need processes and systems to respond to these requests within regulatory time limits (GDPR: one month).
Data Privacy — Compliance Capabilities DATA PRIVACY — COMPLIANCE CAPABILITIES Regulator Asks: What personal data do you have, where, and who can access it? PII Discovery Scan all systems for personal data Catalog & classify Classification PII · Sensitive Health · Financial Tag in catalog Access Control Role-based Need-to-know Audit logged Rights Requests Access · Erase Correct · Port 30-day SLA Retention & Deletion Retention policy Auto-purge Audit trail Data Governance Enables Privacy Compliance Data catalog (where is the data) · Classification (what type of data) · Lineage (where does it flow) Ownership (who is accountable) · Access control (who can see it) · Quality (is it accurate) GDPR Key Obligations Lawful basis · Consent · DPO · DPIA · Breach notification 72h CCPA / CPRA Key Obligations Know · Delete · Opt-out · Correct · Sensitive data restrictions
Click to enlarge

Technical Privacy Controls

Privacy compliance requires technical controls that enforce privacy policies at the data layer:

  • Data classification and tagging — Automatically identifying and labeling personal data fields (name, email, SSN, health data) across all datasets. Without classification, organizations don't know where their personal data is, making rights requests impossible to fulfill efficiently.
  • Pseudonymization and anonymization — Replacing direct identifiers with pseudonyms (reversible) or statistically transforming data to prevent re-identification (irreversible anonymization). Properly anonymized data falls outside GDPR scope.
  • Column-level access control — Controlling access at the column level so that users who need aggregate analytics can see totals without seeing individual personal records. Often implemented via dynamic data masking.
  • Consent management — Systems that track what consent was given, when, for what purpose, and ensure that data processing stays within consent scope. Consent records must be auditable.
  • Automated data retention — Policies that automatically archive or delete personal data when its retention period expires, enforced by the data platform rather than relying on manual deletion processes.

Privacy by Design

Privacy by design — a principle in GDPR Article 25 — requires organizations to build privacy into systems and processes from the start, rather than bolting it on as an afterthought. Practically, this means:

  • Conducting Privacy Impact Assessments (PIAs) or Data Protection Impact Assessments (DPIAs) before deploying new systems that process personal data at scale
  • Defaulting to the minimum necessary data collection rather than collecting everything that might be useful
  • Designing data architecture so that personal data is isolated, classified, and controlled from day one of a system's life

Privacy retrofitted is privacy unreliable. Systems designed without privacy controls require significant rework to comply — and often have structural limitations that make full compliance impractical. Privacy engineered in from the start is more reliable, cheaper, and more auditable than privacy patched on after the fact.

Data Governance for Privacy

Privacy compliance at scale is a data governance problem. The fundamental privacy compliance questions — What personal data do we have? Where is it? Who can access it? How long are we keeping it? Can we respond to an erasure request? — are all questions that a mature data governance infrastructure can answer, and that an organization without it cannot.

The governance capabilities that privacy depends on:

  • Data catalog with personal data classification — Knowing where personal data lives across all systems is the prerequisite for every other privacy control. A data catalog with automated classification provides this inventory at scale.
  • Data lineage — Understanding how personal data flows from source through transformation to reporting systems is essential for responding to erasure requests (you can't delete data you don't know about) and for DPIA scoping.
  • Ownership and stewardship — Every personal data asset needs a defined owner accountable for its appropriate handling. Without clear data ownership, privacy accountability is diffuse and therefore absent.
  • Data quality — GDPR's accuracy principle requires that personal data be correct and kept up to date. Data quality monitoring for personal data fields is a privacy compliance requirement, not just a data engineering best practice.

Conclusion

Data privacy is one of the most consequential data governance challenges organizations face — both in terms of regulatory exposure and in terms of the fundamental trust that individuals place in organizations with their personal information. Getting privacy right requires treating it as an engineering and governance discipline: building the infrastructure to know what personal data exists, where it flows, who can access it, and how long it's retained. The organizations that invest in this infrastructure — data catalogs, classification, lineage, access control — are systematically better positioned for privacy compliance than those that approach it as a legal checkbox.

Table of contents

Data Privacy DefinedKey Privacy RegulationsCore Privacy PrinciplesTechnical Privacy ControlsPrivacy by DesignData Governance for Privacy
← Back to glossary

Related Terms

What Is Data Classification?

Data classification is the process of organizing data into categories based on sensitivity, type, or business value. Learn how automated classification powers data governance, GDPR compliance, and security.

Read more →

What Is Data Masking?

Data masking protects sensitive information by replacing it with realistic but fictional values. Learn static vs dynamic masking, common techniques, and how masking supports GDPR compliance and secure analytics.

Read more →

Data Governance

Learn what data governance is, how to build a framework, and why it's essential for AI-ready organizations.

Read more →

What Is a Data Catalog?

Learn what a data catalog is, how it works, and why it's the foundation of modern data governance.

Read more →

What Are Data Contracts?

Data contracts define agreements between data producers and consumers on schema, quality, and SLAs. Learn about ODCS and how they enable governed data products.

Read more →
Dawiso
Built with love for our users
Make Data Simple for Everyone.
Try Dawiso for free today and discover its ease of use firsthand.
Business Values
Shared understanding Data Sharing Consistent Financial Reporting AI Governance
Technical Features
Data & Analytics Catalog Business Glossary Interactive Data Lineage Data Products Unstructured Data Governance MCP (Model Context Protocol)
Platform
Connectors AI-Powered Features Enterprise Deployment
Resources
Blog Events Glossary Newsroom Case Studies Data Governance Guide Data Catalog Comparison
Company
About us Career We are hiring! Contact us Support Partners
Legal
Terms of use Privacy policy SaaS Agreement EU Project
SOC 2 Type II certified URS - Information Security Management system ISO/IEC 27018 certified G2 Reviews Gartner Peer Insights capterra badge
© Dawiso s.r.o. All rights reserved