Data privacy: discussing compliance and obligations
C1
90 min
Premium
1
Think about these questions before reading. Share your ideas with a partner.
To what extent do you think the convenience offered by personalized services justifies the amount of personal data we surrender to tech companies?
Reflecting on your online experiences, can you recall a time when a company's request for your data felt excessive or made you uneasy? What was the situation?
Whose responsibility is it to protect user data – the individual, the company, or the government? How should this responsibility be divided?
2
A Compliance Concern
Listen to the dialogue. Notice how the vocabulary and grammar from the lesson are used.
3
Answer these questions in your own words. Support your answers with evidence from the article.
01What is Emma's primary concern regarding the new feature's data handling?
Sample answerHer primary concern is that the type of user data being collected and its storage might constitute a 'legal grey area', potentially causing the company to violate privacy laws.
02What principle does Marco say they followed, and why does Emma believe it's not enough?
Sample answerMarco says they followed standard data minimisation principles. However, Emma believes this is insufficient because she has reservations about the justification for retaining the data from a compliance standpoint.
03What is Emma's concrete recommendation for how the team should proceed?
Sample answerShe recommends that they 'run this by the legal team' for a professional opinion before moving forward with the feature.
04Beyond legal trouble, what other significant negative consequence of a data privacy failure does Marco mention?
Sample answerMarco mentions that the 'reputational damage' to the company would be significant if they were to handle the user data incorrectly.
4
Vocabulary
Vocabulary
These expressions will help you communicate more naturally about this topic.
Examples
To fall foul of (a rule/law) — to get into trouble for breaking a rule or law.
Usage note: This idiom is common when discussing regulations. It's a slightly less formal way to say 'to breach' or 'to violate'. For example, 'The new marketing campaign fell foul of data protection laws.'
A legal grey area — a situation where the rules or laws are not clearly defined.
Usage note: This phrase is useful for talking about ambiguity in regulations, especially concerning new technology. For example, 'The use of AI in data processing is still a legal grey area in some jurisdictions.'
To err on the side of caution — to be more careful than is strictly necessary in order to avoid a potential problem.
Usage note: This is a common phrase in business and professional contexts to justify a conservative approach. For example, 'When it comes to user consent, it's always best to err on the side of caution.'
Data breach — an incident where sensitive or confidential information is accessed without permission.
Usage note: This is a standard technical and legal term. Common collocations include 'suffer a data breach', 'prevent a data breach', and 'report a data breach'.
To be held accountable for (something) — to be responsible for your actions and expect to be criticized or punished for them.
Usage note: This formal phrase emphasizes responsibility and consequences, and is often used in the passive voice, which connects to the lesson's grammar focus. For example, 'Under GDPR, data controllers are held accountable for any misuse of personal information.'
5
Legal and compliance collocations
Data privacy discussions often use specific word combinations. Test your knowledge of these common collocations.
Match the beginning of each phrase on the left with its correct ending on the right.
Drag or click to match
Definitions
6
Grammar: Nominalization in formal contexts
Grammar
Nominalization is the process of turning verbs or adjectives into nouns. This grammatical structure is extremely common in formal, legal, and business contexts, such as discussions about data privacy, as it creates a more abstract, objective, and authoritative tone.
Examples
The implementation of these new data protection protocols requires the verification of all user credentials.
Here, the verbs 'implement' and 'verify' are transformed into nouns, shifting the focus from the action itself to the concept as a whole.
Instead of saying 'The company failed to comply with the law,' a legal document might state: 'The company's failure to ensure legal compliance resulted in penalties.'
This technique allows complex actions to be presented as single noun phrases, which can then become the subject or object of a sentence.
A thorough investigation into the data breach led to the discovery of significant security vulnerabilities.
Using nominalization helps to create dense, information-rich sentences typical of formal reports and legal analysis.
Key points
Turn verbs (e.g., 'investigate') and adjectives (e.g., 'secure') into nouns ('investigation', 'security').
Use this structure to sound more formal, objective, and academic, especially in writing.
Avoid overuse in everyday speech, as it can sound unnatural or overly bureaucratic.
7
Find the mistake
Read the sentences below, which are all related to data privacy and compliance.
Each sentence contains one error related to grammar or vocabulary. Find and correct it.
01The company will be held accountability for any misuse of customer data.
Corrected version
The company will be held accountability accountable for any misuse of customer data.
02Our new data processing protocols are designed to ensure compliance to GDPR.
Corrected version
Our new data processing protocols are designed to ensure compliance to with GDPR.
03Under the new legislation, stricter data protection measures are being mandate by the government.
Corrected version
Under the new legislation, stricter data protection measures are being mandate mandated by the government.
04We cannot process this type of sensitive data without first obtaining expressive consent from the user.
Corrected version
We cannot process this type of sensitive data without first obtaining expressive explicit consent from the user.
05If we launch this feature without a proper privacy notice, we risk falling foul with the regulators.
Corrected version
If we launch this feature without a proper privacy notice, we risk falling foul with of the regulators.
06The use of AI for automated decision-making remain a significant legal grey area.
Corrected version
The use of AI for automated decision-making remain remains a significant legal grey area.
07The financial penaltys for non-compliance can be substantial, reaching up to 4% of global turnover.
Corrected version
The financial penaltys penalties for non-compliance can be substantial, reaching up to 4% of global turnover.
8
Words to take with you
Vocabulary
These expressions are not in the article but will help you discuss this topic more fluently.
Examples
To get one's house in order — to organize your personal or business affairs efficiently, often in preparation for a specific event or change.
Use this idiom to talk about the preparatory work a company needs to do before a new regulation comes into effect. Example: 'With the new privacy law looming, we really need to get our house in order regarding data storage.'
A watertight policy — a policy, plan, or argument that has been so carefully prepared that it has no weaknesses or flaws.
This is a strong collocation used to describe an ideal state of compliance. It's perfect for discussing legal documents or internal procedures. Common collocations: 'watertight argument', 'watertight alibi', 'watertight contract'.
To be subject to scrutiny — to be carefully and thoroughly examined or investigated by others.
This passive phrase is common in formal and business contexts. It emphasizes that the examination is being done by an external body, like a regulator or the public. Example: 'Any company handling user data is now subject to intense public scrutiny.'
Data anonymization — the process of removing personally identifiable information from data sets, so that the individuals described remain anonymous.
This is a key technical term in data privacy. Use it when discussing methods for protecting user privacy while still being able to analyse data. The verb form is 'to anonymize data'.
Due diligence — the action of taking reasonable care to avoid causing harm or breaking a law, especially by investigating a matter before making a decision.
While it has a specific legal meaning, it's widely used in business to mean 'doing your homework' or conducting a thorough investigation. Example: 'Before launching the new feature, the legal team performed due diligence to ensure it was compliant.'
9
Complete the sentences with words from the box. One word is extra.
Word bank
01The company faced significant fines after a massive data exposed the personal details of millions of customers.
02Under the new regulations, the data protection officer will be held personally for any compliance failures.
03Without explicit user consent for collecting location data, the app is likely to fall of GDPR.
04Given the ambiguity of the new law, our legal team advised us to err on the side of when handling user data.
05The use of AI for automated decision-making without human oversight is still a legal area in many jurisdictions.
10
Useful phrases: discussing data privacy in a product meeting
Vocabulary
This situation is common in tech and product development. In a meeting, you need to raise concerns about data privacy without stopping progress or sounding negative. These phrases will help you sound constructive and professional.
Examples
I'd like to flag a potential concern regarding how we're handling user data here. — Use this to politely introduce a problem or question.
Register: Neutral/Formal. This is a great way to open a discussion about a potential issue without being accusatory. It signals you want to discuss, not just criticize.
Could you walk me through the data minimisation principles we've applied? — This is a specific way to ask for clarification on compliance.
Register: Formal. Use this when you want to understand the technical or legal justification for a feature. It shows you're knowledgeable and focuses the conversation on established principles.
I have some reservations about that approach from a compliance standpoint. — A polite but firm way to express disagreement or doubt.
Register: Formal. This is softer than saying 'I disagree' or 'That's wrong'. It frames your objection in a professional, non-personal way, focusing on the rules.
My recommendation would be to run this by the legal team before we proceed. — Use this to suggest a clear, cautious next step.
Register: Formal. This phrase shows you are solution-oriented. 'Run this by someone' is a common, slightly less formal alternative to 'consult'.
I'm fully on board with that. The reputational damage alone would be significant. — A way to strongly agree with a cautious suggestion and add weight to it.
Register: Neutral. 'I'm on board' is a common business idiom for agreement. Adding the reason ('reputational damage') strengthens your position and shows you're thinking about the bigger picture.
So, the consensus is that we need to tread very carefully here. — Use this to summarize the group's feeling and confirm the need for caution.
Register: Neutral/Formal. This is a good way to wrap up a point in the discussion. 'Tread carefully' is an idiom that means to proceed with caution.
11
The anonymization paradox
Data privacy isn't just about preventing hacks. Sometimes, the risk comes from data that companies willingly share, believing it to be safe.
Read the passage below, then answer the comprehension questions.
The promise of 'anonymized' data is seductive for researchers and tech companies alike. By stripping datasets of personally identifiable information, organizations believe they can share valuable insights without compromising privacy. However, the process of de-identification is far from foolproof. Sophisticated re-identification techniques can often reverse the process, linking anonymized data points back to specific individuals. This creates a significant legal grey area. While a company may not have intended for a data breach to occur, the re-identification of individuals from a released dataset could see them fall foul of strict privacy laws. Consequently, many legal advisors now suggest that organizations err on the side of caution, treating even pseudonymized data with the same stringent controls as raw personal data. The failure to do so could result in severe penalties, with executives being held accountable for a lack of foresight.
01According to the text, what is the main problem with data that has been 'anonymized'?
Sample answerThe main problem is that sophisticated techniques can often reverse the anonymization process, linking the data back to specific people.
02Why does the passage suggest that this issue creates a 'legal grey area'?
Sample answerIt's a legal grey area because a company might not intend for a data breach, but could still violate privacy laws if the data they release is later re-identified by third parties.
03What does the author imply about the sufficiency of traditional de-identification methods?
Sample answerThe author implies that traditional methods, like simply removing personal identifiers, are no longer sufficient to guarantee privacy due to advanced re-identification techniques.
04What course of action is recommended for companies handling pseudonymized data?
Sample answerIt is recommended that they err on the side of caution and apply the same strict controls to it as they would to raw, identifiable personal data.
12
Discuss these questions with a partner. Try to use vocabulary from the lesson.
When a massive data breach occurs, who should ultimately be held accountable – the company's leadership, the IT security team, or the users themselves? Justify your position.
Thinking about the legal framework in your own country, do you feel that companies generally err on the side of caution regarding data protection, or do they tend to operate in a legal grey area? Provide specific examples if you can.
As technology like AI and smart home devices becomes more integrated into our lives, what new ethical standards should be mandated to prevent companies from falling foul of public trust, even if they aren't breaking existing laws?