Data privacy and data security have been used interchangeably, however, they are different. Data privacy is about the governance of personal information. This is typically defined by privacy legislation and provides the laws to give consumers and individuals more rights when it comes to companies who collect, use and disclose the use of their personal information.
Data security specifies the rules and best practices that a company should follow to ensure the personal information they store and use within their systems are kept safe. Most of this requires technical safeguards to minimize the chances information is leaked or data is breached from the system.
When a company collects personal information, individual consent or permission must be given to allow that company to collect, use and disclosure this information. Generally speaking, there are two types of consent an organization may obtain:
1) Explicit Consent (also known as express consent.) In this case, there needs to be clear, documented consent, given either verbally, written or through another form of digital attestation (for example, video or audio.) Disclosure of the purpose for which the data is being used must be made at that time. A common example: an individual subscribes to an email newsletter. When s/he will submits their information, they subsequently receive a link in their email to provide “explicit consent."
2) Implicit Consent (also known as indirect or inferred consent.) Individuals may voluntarily provide information to a company to collect and use the information for specific purpose(s) given at the time. For example, retailers may ask customers for implicit consent to send them emails so they can receive relevant offers.
For the most stringent privacy legislation—known as the GDPR—this means that the personal information must be freely given, consent must relate to a specific purpose, and the individual must fully understand why the data is being collected.
As easily as consent is granted by an individual, a company must make it just as easy to allow an individual to remove their consent or opt-out.