As we recognize Information Security month this October, we should also acknowledge that the grandfather of all Data Privacy and Protection laws, the General Data Protection Regulation (GDPR), is now over six years old itself. If you’re like me, just a mention of the GDPR still puts your head on a swivel, wondering where your servers’ backup servers are, who will be your organization’s data controller and data processor, and if a license plate on a car now personally identifiable information (it can be).
Still, with all that angst, the GDPR has proven itself to be a friend to business. Protecting our customers’, employees’, and vendors’ data isn’t just the right thing to do, it’s the good-business approach too. The GDPR provides us with an easy-to-understand set of best practices on how to achieve this.
While the law is complex and you must review all aspects of it before processing data, here are some important highlights about what can be done with personal data and how your company must handle it.
- INDIVIDUALS MUST DETERMINE HOW THEIR DATA IS TO BE USED – Personal data may only be collected for a specific and stated purpose. If there is to be any additional use (such as a marketing giveaway or sending marketing correspondence) individuals must have the option to opt in. They may not be expected to opt out.
- COLLECT ONLY THE DATA YOU NEED – Unnecessary information may not be collected. If you don’t need to know if someone has children for your project, you may not collect that just because it may be nice to have later.
- PROPER PERSONAL DATA STORAGE AND SECURITY IS COMPLEX – You’re not expected to know nuance of data storage and security yourself. Rely on your Data Privacy Officer at your organization for any questions or concerns.
- PERSONAL DATA MAY NOT BE RETAINED AFTER ITS PURPOSE EXPIRES – Personal data should not be kept any longer than necessary for the purpose for which it has been collected.
- INDIVIDUALS DETERMINE HOW THEIR DATA IS HANDLED – Individuals may review, challenge, and request that their information be corrected or removed at any time.
- ANONYMIZE DATA TO PROTECT IDENTITIES – Certain jurisdictions require that stored personal data undergo either anonymization or a pseudonymization process.
- DATA INTEGRITY IS PARAMOUNT – Data ages and potentially gets manipulated over time. Data should be destroyed upon completion of its intended use or every couple of years, whichever comes first.
- PROTECT ALL DATA IN YOUR CONTROL – Do not transfer it to jurisdictions with weaker controls. Keep it securely behind fire walls and only accessible by those in your organization with a need to know. And if there is a breach, alert your data subjects immediately so that they may take additional steps to protect their identities.
It’s not all easy, of course. Having users opt in to having their data used for marketing purposes, when neither they nor your business is in a location that requires it, may not make sense in certain situations. And the United States’ weaker federal data privacy laws restricting you from transferring EU data to the United States has created some access issues. But still, with so many of the new data privacy laws that have come out recently honing close to the GDPR, it has become a perfect model for how to process and protect data at your company.
A new phenomenon is the sudden widespread bloom of data privacy laws around the world. Here in the United States, where I am located, we await word on possible passage of the American Data Protection and Privacy Act, our own GDPR with similar regulations. In the meantime, the states themselves are ensuring their residents’ protection with local laws such as those in Colorado, Utah, and Virginia. California’s CCPA and soon to be introduced CPRA are the strictest yet. These laws themselves bring California very close to the GDPR.
Other countries that have enacted their own laws includes but is not limited to Argentina, Australia, Brazil, Canada, China, India, Israel, Japan, Kazakhstan, South Korea, Mexico, New Zealand, Peru, Russia, Singapore, Switzerland, United Kingdom, and Ukraine.
Meanwhile Europe is considering multiple pieces of legislation on the issue of artificial intelligence (AI) and data privacy. What this will mean for processing and how companies protect their data as they move to AI models remains anyone’s guess. Once again, regulations are catching up to technology.
All we know for certain is that it will be more important than ever to protect data through education, vigilance, and increased regulations.