The Official Blog of Acuity Knowledge Partners

Data – the oil of the 21st century and the need to protect it

Published on March 13, 2024 by Devika Jain and Akash


Our connection with the internet, whether intentionally or not, means that we most of our personal information such as name, age, location, finances and health is available out there. Such data is, as Clive Humby referred to it in 2006, the new oil. He meant that data like oil is not useful in its raw form; it needs to be refined, processed and turned into something useful[1]. Data in the 21st Century is what oil was in the Industrial Age i.e., economies will now be run by data and those who manage this data efficiently would be the ones who succeed.

Why do we need data?

Organisations use data to identify potential customers and understand their requirements and preferences. Data helps in research for business development and making critical business decisions.

Data on organisations’ servers or received through third-party servers is also the primary source for training artificial intelligence (AI), which we rely on for daily activities such as social media, banking, shopping and entertainment. Service providers process significant amounts of personal data to customise results for users.

Why do we need to protect it?

Access to data by someone other than the intended recipient could cause irreparable financial or reputational damage to an individual or organisation.

Data protection and compliance should be a priority, to prevent data breaches such as the following[2]:

  • Yahoo’s data leak in August 2013 impacted around 3bn accounts globally.

  • India's tie with Alibaba, Aadhaar's, data breach (of identification and biometric information such as photos, names, addresses, email IDs, phone numbers, retina scans and fingerprints) in January 2018 impacted 1.1bn Indians. Aadhaar is a 12-digit individual identification number issued by the Unique Identification Authority of India on behalf of the government of India. The breach had a devastating impact as bank details were vulnerable.

How can we protect it?

Every country has experienced the devastating effects of unauthorised access to data and has subsequently implemented laws, such as the Personal  Data Protection Act 2012, to protect it.

The EU and the US were the pioneers in drafting and implementing data protection laws:

  • The Health Insurance Portability and Accountability Act (HIPAA): The HIPAA is a US States Act of Congress that came into effect on 21 August 1996. The HIPAA covers protected health information (PHI) such as medical treatment and medicines, fingerprints, retina scans and medical record numbers. It ensures that only the patient or a person with legal authority to make decisions on behalf of the patient and an authorised representative can access the patient’s medical information. An “authorised representative” refers to the patient’s guardian or any person acting in the place of a parent and who is legally authorised to take healthcare decisions on behalf of a minor or such person to act on behalf of the decedent or the estate[3]. Medical information or healthcare data is protected by healthcare and insurance agencies. The Act prohibits these organisations from disclosing this protected data to anyone except the patient or their authorised representative.

  • The General Data Protection Regulation (GDPR): The EU’s GDPR came into effect on 25 May 2018 and applies to companies in the EU that collect data. The GDPR protects natural persons in terms of the movement of personal data and provides a framework for the movement of this data within and outside the EU.

    The GDPR also provides guidelines on how to transfer such data to a developing country and ensures GDPR-like protection to personal data outside the EU. It is defined as a regulation and not a directive, which means that it is directly binding and applicable. A violation could result in a fine of 4% of a company’s global turnover for the previous year or EUR20m, whichever is greater.

  • The Gramm-Leach-Bliley Act (GLBA): Also known as the Financial Services Modernization Act of 1999, this which aims to limit the extent to which financial institutions can control personal data in the US. The Act requires these institutions to explain to their customers how they share information and customers’ right to opt out[4].


Data is the driving force of this century, playing a critical role in understanding trends and keeping up with rapidly changing markets and preferences. Although data can simplify our lives in many ways, storing it securely is a challenge, as a breach could cause irreparable damage. Adherence to data privacy measures is one step towards ensuring data protection. Western countries were the first to identify this and draft laws and policies for this; a number of Asian and African countries seem to be lagging behind[5].

How Acuity Knowledge Partners can help

We are experienced in data privacy and cybersecurity laws and help clients with the following:

  • Being prepared for data breaches and incident response

  • Data mapping, gap assessment and system inventory

  • Creating data privacy contract clauses

  • Data privacy impact assessments (DPIAs)

  • Data privacy management

  • Data privacy policies and procedures

  • Regulatory response to data privacy (GDPR, CCPA, HIPAA)

  • Data -haring agreements with third parties

  • Privacy by design and privacy by default

We conduct DPIAs, which are required each time an organisation starts a new project likely to involve high risk or personal information. Complying with these laws is vital in Europe, as the GDPR imposes hefty fines on organisations that fail to do so – up to EUR20m (c.USD20.4m) or 4% of total turnover for the preceding financial year, whichever is greater.


What's your view?
captcha code
Thank you for sharing your Comments

Share this on

About the Authors

Devika has been involved in executing various legal support services tasks independently including drafting, reviewing and legal document formatting in Acuity and has 13 years of experience in providing end to end paralegal services to clients worldwide.

She has been part of various projects related to contract lifecycle management, abstraction and summarization and e-discovery services covering US banking & financial companies.

Akash (Associate) has over 4 years of experience in providing legal outsourcing services to clients based in US and UK and managed multi-million projects related to He is having experience in Contract Abstraction projects and in specialized in using Various Conga platforms for that. Over his span, he has also led teams for contract review and abstraction for the US and UK companies based on Investment and Banking, Software and Computer data storage company.

 post image 2 Blog
Product marketing data specialists in asset mana....

In the fast-paced world of asset management, where precision and timeliness are paramount,....Read More

 post image 2 Blog
Tread carefully when monitoring employees....

The work-from-home (WFH) framework adopted amid the pandemic has made employee monitoring ....Read More

 post image 2 Blog
Web 3.0 for banks – redefining the current len....

“If your business is not on the internet, then your business will be out of businesses....Read More

Like the way we think?

Next time we post something new, we'll send it to your inbox