What’s difficult to understand about the term “personal data”? It’s anything private about me—my phone number, address, and bank account number—right? No, not in the context of data privacy regulations because, of course, life’s never that simple. It’s crucial that you understand the subtleties of personal data privacy. Why? Because your organization could become liable for violating privacy laws in jurisdictions where you have customers.
Under privacy regulations, “personal data” is defined as any information that can identify or potentially identify an individual. It’s not necessarily secret; it may even be publicly available. This information could be a sole piece of data, like a name, or a combination of data, such as a name, phone number, LinkedIn profile, and IP address. Take the name “John Smith,” for example. There are about 25,000 John Smiths in the US alone. If I’ve got a John Smith in my database with absolutely no other information associated with this name, I can’t identify which John Smith this data point represents. Therefore, it’s not considered personal data protected under the law. However, what if I associate a phone number and an IP address in my database with a specific John Smith? This combination of data identifies a unique John Smith. Now, my organization may be liable if I don’t have a privacy management program that ensures privacy protection for John Smith and other individuals in my database.
Here’s another scenario. You’re creating and emailing a newsletter out to subscribers of Diabetes Monthly. Great content, looks good; hit send! Then you realize that you accidentally dropped all the email addresses into the “CC” input instead of the “BCC” input. Now everyone can see who else is on the email list...but phew, no names are associated with these emails. Sorry, no dice. You’ve publicly associated these emails with health data—diabetes patients—the combination of which could potentially be used to identify them. Unless you’ve obtained their prior consent, you’ve disclosed sensitive personal data that makes your organization liable for violating their privacy rights.
As you can see, understanding personal data privacy is not that simple.
How do I identify personal data?
The context in which you collect, use, share, and store any piece of data relating to an individual will impact the nature of personal data that is subject to privacy regulations. When reviewing the data that you’re handling, there are a few questions you need to ask to assess what risks you may face.
- Does this data contain a unique identifier that ties to a specific individual?
Consider discount coupon codes. They seem benign, but some stores may attach unique identifiers in a code to link it to a specific customer. This allows them to track customer journeys and better understand what factors might lead to a purchase. This coupon code may be considered personal data in this context.
- Does this combination of information allow me to identify a specific individual?
As with the John Smith scenario, a name alone may not be considered personal data subject to privacy protection. However, combining various individual data points may make an individual suddenly identifiable. This transforms the data into information that is subject to privacy protection.
- Does the data I’m collecting fall under a special category?
Several special categories of personal information are considered highly sensitive data and thus pose higher privacy risks subject to stricter regulations. These categories include:
- Health information
- Paternity tests
- Racial and ethnic origin
- Religious affiliation
- Political affiliation
- Trade union membership
- Sexual relations or sexual orientation
How do I protect personal data?
Once you’ve assessed what personal data your organization may be collecting and using, you need to establish safeguards to mitigate and manage privacy risks. Following these nine principles throughout the data lifecycle of your organization’s information systems will help you do so.
You need to inform individuals about your organization’s policies and practices regarding collecting, using, sharing, and storing their personal data. You can achieve transparency by explaining your policies through your website’s privacy notice.
Following data privacy laws, it’s not sufficient to tell a website visitor that you’re collecting their data merely through a privacy notice. Website visitors need to explicitly provide their consent to you processing their information for the specified purpose. You can obtain their consent with a written statement and an “Accept” button typical in cookie consent banners. Individuals who previously provided their consent must also have the option to withdraw it.The Guardian’s cookie consent form
- Data Minimization
You should only collect minimal relevant personal data to achieve a specific legitimate purpose. For instance, if you’re an e-commerce site asking a customer to provide information so you can successfully fulfill their order, you only need their full name, email, shipping address, and phone number. You certainly don’t need to ask for irrelevant information like their marital status or religious affiliation. We are seeing the slow demise of massive data collection practices to gain highly personalized customer insights. With privacy laws emerging rapidly and globally, this business practice will no longer be acceptable. It’s increasingly becoming a significant privacy liability.
- Purpose Limitation
Privacy regulations mandate that personal information gathered for one purpose should not be used for another. Building on the e-commerce order fulfillment scenario, even though you now have a new customer’s email address, you can’t send them marketing emails without their consent. The data was collected to fulfill their order, and you didn’t receive their express permission to email them for marketing purposes.
- Data Accuracy and Quality
You must ensure that the personal data you handle is accurate, complete, and up to date. You can control data integrity by protecting personal data against improper maintenance, modification, or alteration. For example, put measures in place to avoid data corruption or partial destruction. If you realize that information has been compromised, you must notify the regulatory authorities and the affected parties as soon as possible.
- Data Access
Privacy regulations require organizations to provide individuals with the right to access their information. This may include viewing, editing, challenging, deleting, or receiving copies of their data.Consequently, it’s vital your organization has procedures in place to respond to these data subject access requests (DSARs).
- Data Security
You must assume responsibility for the security of personal data throughout its lifecycle consistent with international standards. Personal data needs to be protected by reasonable safeguards appropriate to the sensitivity of the information (including physical, technical, and administrative means).
It’s essential to maintain the confidentiality and availability of the personal data you’ve acquired. You can preserve confidentiality by limiting access within your organization only to those who need specific data to fulfill their job requirements. For example, your customer service team should have permission to access a customer’s order history, but your HR department should not.
Finally, managing data availability is about the timeliness and reliability of the access to and use of data. To achieve data availability, you must quickly repair all hardware failures and maintain backups to avoid business operation disruptions.
Again, if you realize that information has been compromised, it’s crucial to notify the regulatory authorities and affected parties as soon as possible.
- Retention and Storage Limitations
You should only retain personal data if it’s necessary to fulfill the purposes you declared in your consent form. When it’s no longer needed, you need to ensure that you destroy it securely and permanently. This means digital and physical shredding if you’re also keeping hard copies.
- Privacy Accountability
When you collect personal data, you must always handle it with care. You can demonstrate accountability by having privacy-related policies and procedures documented and communicated as appropriate and assigned to a specified individual within your organization. It’s essential to show that you are committed to protecting the data privacy of all the individuals you’re dealing with.
How can I safely publish personal data?
You may want to publish personal data for some marketing purposes, such as product reviews. Let’s say an individual named Alice Lane from Virginia has emailed you a rave review about your new skincare product. Publishing it on your website may help sales tremendously, and putting a name to it makes the review seem more credible. However, she hasn’t permitted you to post it with her name. So, what do you do? There are three techniques you may wish to use.
- Remove personal data.
“This product really moisturized and brightened my skin, and it was super light! I can’t wait to share it with my friends!” - Alice L.
- Mask information.
“This product really moisturized and brightened my skin, and it was super light! I can’t wait to share it with my friends!” - A customer from Virginia
- Aggregate information.
“9 out of 10 customers recommend our skincare products.”
It’s all about context
Remember, when dealing with personal data privacy, context is critical. An email address may be benign, but it becomes a liability if paired with sensitive information like health data. Ensure you collect and process personal data with privacy regulations and individuals’ expectations. If they’ve given you their email address because they’re applying for a membership card for your loyalty program, they shouldn’t then receive marketing emails about all the other products you have for sale. If you need help implementing or auditing policies for dealing with personal data, check out our privacy management solutions. We’re here to guide you towards achieving and maintaining privacy compliance seamlessly and cost-effectively.