Fighting Data Privacy Complexity with Simplicity

As technology advances at a lightning pace, the personal data life cycle is also expanding, creating greater concerns and risks for organizations as they deal with the data of individuals.

Meanwhile, a wide range of stringent global privacy laws is adding complexity and confusion, without being wholly effective.

Europe’s General Data Protection Regulation recently enhanced data privacy rights granted to individuals, but its ambiguity has left many questions unanswered.

As the GDPR and a jumble of global data privacy laws spinning off from it continue to roil the business, legal and tech worlds, enterprises are attempting to get up to code by protecting the data life cycle — the path data takes from its collection to its destruction or return.

A survey conducted by SAS Institute Inc. showed that as the GDPR deadline loomed in May 2018, less than half of all organizations expected to be in compliance.¹

Further, many entities—especially smaller ones—still struggle to meet the interpretations of the regulation as they evolve.

These smaller organizations can start by countering complexity with simplicity, using data inventory and data mapping to streamline and centralize the personal data under their control.

Enhanced data subject rights can be easily addressed if one creates data flow diagrams and ensures that personally identifiable information, personal health information and nonpublic information are classified or codified. This way, as the effects of regulations become clearer, data controllers will have a better handle on the information under their umbrella if compliance issues are raised.

Any new organization, and any new application, must also adopt a proactive “privacy by design” and “privacy by default” framework as part of the development cycle. Existing organizations should revisit an application’s scripts to enjoy the benefits of PbD.

GDPR: THE WAVE ROLLING ACROSS THE GLOBE

Securing data has long been a central requirement of the internet age, but the risk of attacks multiplies as hackers become more sophisticated, posing dire potential consequences for security lapses.

High-profile hacking cases have already cost prominent corporations millions of dollars in settlements.

But the GDPR goes beyond legislating security. It codifies the concept that the people who generate data continue to own it, even if businesses are in already in possession of it. To address this risk of redundancy, hacking and data leakage or theft, businesses can collect minimum data by doing a “requirement assessment” while drawing the purpose of collection.

Because companies can be penalized up to 4 percent of their global revenue or 20 million euros (whichever is greater), the risk of noncompliance for any company interacting with consumers or employees in Europe is steep. Previous regulations made securing data and assessing risk a broader, more manageable task in terms of processes.

But the GDPR’s expansion of data subject rights, as mentioned in Chapter 3 of the regulation, complicates the actions covered enterprises must take. Data access, retention and destruction requirements become complex and uncertain.

To address this complexity, businesses can make a uniform decision on record retention policy and procedure and create a conditional Data Subject Access Request procedure. A data subject is any person whose personal data is being collected, held or processed by a Data Controller or processor. DSAR is any request made by an individual or an individual’s legal representative for information held by the company about that individual.

Outside Europe, most jurisdictions are enacting their own laws. For instance, California passed what many consider the most stringent data privacy law in the country in June 2018: the California Consumer Privacy Act, Cal. Civ. Code § 1798.185(a). That law is set to take effect Jan. 1, 2020. The law offers consumers five basic rights in terms of data:

• The right to know what personal information a business has and how it is being used.
• The right to know whether their data is being sold or passed on to third parties.
• The right to deny having their information collected or sold.
• The right to demand that businesses delete their information.
• Equal service even if they exercise their rights.

California’s law comes on the heels of similar state laws nationwide, and many expect the California law to cue more stringent laws around the country.

While the California legislation is similar to the GDPR, it is not identical. It thus exemplifies the minefield of varied regulations global businesses must be prepared to navigate.

While larger, more heavily resourced organizations have a hard time with compliance solutions for these multiple laws, it’s the smaller organizations that are struggling to find a starting point for properly securing their data flow and legally complying with data subject rights.

Many business leaders believe having a clearly stated website privacy policy will shield them from penalties — but this alone may not be enough. The best defense small organizations can mount is to centralize, organize and streamline the data life cycle.

DATA SUBJECT RIGHTS CHANGE THE GAME

The minute an individual is born, data about that individual is created. Under the GDPR, the organization collecting the data becomes the data controller and the individual becomes the data subject.

Data subject rights are complicated. They have the potential to create multiple issues because they are unclear about what rights can be invoked and who can invoke them. Also, questions exist as to whether these rights come without conditions or limitations.

For example, any individual can go to an organization and invoke DSAR even if this person was never actually a data subject of that organization. As a result, organizations must respond with additional policy, procedures, dedicated resources and mechanisms to identify specific data about that individual — even if only to ascertain whether the individual is a data subject to begin with. Moreover, the individual cannot be held legally liable for being wrong or acting frivolously.

The best way to determine whether your organization is compliant with global privacy laws, including the GDPR, is to focus on data centralization, data mapping and data inventory. Doing so will help formulate a strong policy that addresses the issues of data access, data retention and data destruction requirements.

In the GDPR Article 5(e) guideline for governing data retention, identifying data should be held “for no longer than is necessary for the purposes for which the personal data are processed.”² The regulation also guarantees in Chapter 3, Article 17, a subject’s right to erasure, or “right to be forgotten.”

As such, a data controller must erase a subject’s personal data under a variety of circumstances, including when the subject withdraws consent or alleges that the data was unlawfully obtained.

The GDPR increases businesses’ obligations for protecting a subject’s data, and those dealing with European customers or employees must be prepared to prove that they are meeting these obligations. Data mapping and inventory provide a simple starting point to prepare for what may be inevitable: a GDPR claim.

KNOWING WHAT’S IN YOUR HAND

To discover where data flows throughout an organization, you must map out its journey from the moment it is collected, to where it is stored, and then on to the third parties with whom it is shared. Through this process, you can form an inventory of what data you hold and where, ideally down to the individual data subject.

This map, or data flow diagram, enables you to protect the rights of data subjects by allowing access to their data. It also provides transparency with respect to the data’s use. Mapping the data will also weed out instances of redundant data stored in multiple locations and help identify data potentially exposed by a breach.

Small to medium-sized organizations running into the crosswinds of the GDPR, and its related but differently nuanced local regulations, must manage the data life cycle risk starting at the point of collection.

These organizations need to ensure that information is centralized and not entering via multiple modes and entry points. Thereafter, the information should be carried through its designated life cycle.

Without a simplified data life cycle, an organization must first dig through its systems, processes and global servers if Data Subject Access Rights are raised to find the appropriate data and respond. Without an inventory, an entity also risks unlawfully controlling or improperly storing data that might need to be destroyed — without even knowing about this lapse.

For example, like the GDPR, California’s Consumer Privacy Act gives consumers the right to have their data expunged. Thus, if a consumer asks a company to destroy his data, a system administrator may think compliance with the law is achieved by finding relevant data stored on server A and destroying it. But redundant information might also be stored on a different server that is administered by a different team — creating liability for the company.

In this example, a request from a single consumer could put the company at risk. But what happens when thousands ask for their data at once?

Employees are also legally afforded rights to their data, but it’s quite unlikely that all the employees of an organization would simultaneously demand access to their information — unless the organization uses fast-advancing technology. An instance that could cause a mass data subject request might involve sensors, the Internet of things, and other real-time data collection tools tracking employees.

In the U.S., 64 percent of Americans support the right of employers to monitor their employees’ digital activities for security purposes, but only if employers are upfront about it.³ In the U.K., the supermarket Tescohas has been accused of monitoring unknowing employees by using armbands to track worker efficiency.⁴

It’s not hard to imagine that if irate employees learn about being unknowingly tracked, they could potentially demand the generated data en masse! At that volume, trying to cut through the thicket of decentralized data could grind a business to a halt.

Centralizing data also provides a starting point for minimizing privacy risk. Currently, many businesses assess the risk to privacy only at the point of data collection, and do not further assess personal data classification or the personal data life cycle.

As a result, organizations are concentrating on privacy risk assessment and data privacy impact assessments of processes, technology and storage devices. While these assessments uncover potential risks, the risks of dark data are going unaddressed. Centralized data collection is a method of collection. Dark data is data that an organization collects but doesn’t use, and organizations generally have more dark data than regular data.

The GDPR requires more stringent safeguards on certain activities, often those that use newer technologies or those involve sensitive information and pose a higher risk to the personal rights of data subjects.

With their data inventoried and mapped, organizations will not only be able to take a better look at securing personal data but will also be in a stronger position to respond to security and legal threats.

NOTES

1 https://bit.ly/2Eehlkq

2 https://gdpr-info.eu/art-5-gdpr/

3 https://bit.ly/2K3jbpi

4 https://ind.pn/2rwHljw

This point of view article was originally published on Westlaw Journals.