Other Articles

Personal Data

Definition

Personal data refers to any information that can identify an individual, either directly or indirectly.

This includes both:

• Direct identifiers (e.g., name, email)
• Indirect identifiers (e.g., IP address, device ID)

Even when a single data point does not identify an individual, it becomes personal data when combined with other attributes.

Why It Matters

Personal data forms the foundation of all privacy obligations. Without identifying it correctly:

• Data may remain unprotected
• Compliance gaps may arise
• Risk exposure increases

Organizations must ensure complete visibility of where personal data exists across systems.

Implementation in Kawach

In Kawach, personal data is identified and managed through:

• Data Asset Registration
  Each data field (e.g., email, IP address) is registered as a data asset
• System and Column-Level Mapping
  Personal data is linked to:
  • Source systems
  • Database tables
  • Specific columns
• Data Catalog
  Provides a centralized inventory of all personal data across systems

This ensures that personal data is not abstract but fully traceable and governed at a granular level.

Personally Identifiable Information (PII)

Definition

PII is a subset of personal data that can directly identify an individual.
It is further classified based on sensitivity to ensure appropriate controls.

PII Classification Structure

Why It Matters

Proper PII classification enables:

• Risk-based control implementation
• Stronger protection for sensitive data
• Accurate privacy impact assessments
• Efficient handling of user rights

Misclassification can lead to under-protection or unnecessary controls.

Implementation in Kawach

• System PII Tag
  • Automatically detects whether data is PII or Non-PII
  • Provides confidence levels
• Manual PII Tag
  • Allows contextual classification based on business understanding
  • Ensures regulatory accuracy
• Sensitivity Mapping
  • Data is categorized as Low, Medium, or High risk

This dual-layer approach ensures accuracy, flexibility, and compliance alignment.

Data Subject

Definition

A data subject is the individual whose personal data is being collected, processed, or stored.

This includes:

• Customers
• Employees
• Users
• Visitors

Why It Matters

All privacy regulations are designed to protect the rights of the data subject. Organizations must be able to:

• Identify whose data is being processed
• Respond to access or deletion requests
• Ensure transparency in data usage

Without proper mapping, fulfilling these obligations becomes difficult.

Implementation in Kawach

Kawach links data subjects to processing activities through:

• Business Process Mapping
  Connects data to specific use cases (e.g., employee management, visitor tracking)
• Data Asset Relationships
  Maps which data fields belong to which category of individuals
• DSAR Integration
  Enables identification and retrieval of data related to a specific individual

This ensures that data subject rights can be efficiently managed and fulfilled.

Controller vs Processor

Definition

These roles define who controls the data and who processes it.

Data Controller

The controller is the entity that:

• Decides why data is collected
• Defines how it will be used
• Determines retention and sharing
• Holds primary accountability for compliance

The controller holds primary accountability for compliance.

Data Processor

The processor:

• Processes data on behalf of the controller
• Follows defined instructions
• Does not decide the purpose of processing

Why It Matters

Clear role definition is critical to:

• Establish accountability
• Manage third-party risks
• Ensure contractual and regulatory compliance

Confusion between these roles leads to governance gaps and compliance failures.

Implementation in Kawach

Kawach enables structured role mapping through:

• Data Owner Assignment: Assigns responsibility for each data asset.
• System and Vendor Mapping: Identifies where data is processed internally and externally.
• Access Control and Responsibility Tracking: Ensures only authorized roles interact with data.
• Audit-Ready Documentation: Maintains clear records of ownership and processing responsibility.

This ensures that responsibility is not assumed but clearly defined and traceable.

Governance Value of These Concepts

When implemented correctly, these concepts provide:

• Clear identification of personal and sensitive data
• Structured classification and risk visibility
• Defined ownership and accountability
• Efficient handling of user rights
• Strong alignment with regulatory requirements
• Improved audit readiness

They transform data from scattered information into controlled, governed, and compliant assets.

Conclusion

Understanding key privacy concepts is not just foundational knowledge—it is essential for building a structured and enforceable data governance framework.

When these concepts are implemented through a system like Kawach:

• Data becomes fully visible and traceable
• Risks are identified and managed proactively
• Ownership is clearly defined
• Compliance becomes measurable and demonstrable

This approach ensures that personal data is not only stored, but accurately classified, responsibly managed, and continuously governed throughout its lifecycle.