By Dr. Heather Mark, CCEP
Privacy data leaks can cause long term damage to an organization. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately. Here are 5 questions to get you started.
The subject of data privacy and consumer rights has been a hot topic over the last several years. Beginning with the implementation of the General Data Protection Regulation (GDPR) in the EU, continuing with the passage of privacy laws in California, Massachusetts, Nevada, and continuing with the proposal of almost a dozen more state level consumer privacy laws, businesses are have to sit up and take notice. While these laws certainly aim to protect consumers from businesses that might intentionally misuse data, it also means that organizations must be cognizant of the ways that such sensitive data might “leak” into, or out of, their business ecosystems and the potential damage that can be done by such “contamination.”
I use the term toxic data here to describe data that is protected by regulation (Personally Identifiable Information or PII, Financial Information, Protected Health Information, etc). This data carries with it responsibilities and has to be handled appropriately to avoid serious negative consequences. Not to overdo the analogy, but for small businesses particularly, leaks of such data can prove fatal. This is why it is vitally important for organizations of all sizes to understand their relationship to toxic data, their need for it, and to develop protocols for dealing with it appropriately.
Here are five straightforward questions that organizations can ask to start getting a feel for their own practices.
- What data do we collect?
Surprisingly, the answer to this question for many companies is, ”I’m not sure.” If a organization has been in operation for some time (5 years or more), it may be the case that data collection began simply, with a contact or payment form or cookies and web beacons. Some organizations may have relied on third parties to help with forms and websites and may not have a complete list of data that is collected. In other cases, data collection protocols that were purposely set up may not have evolved with the organization’s needs over time. Doing a data inventory (finding out what data you collect and where that data is stored) is a critical component in protecting that toxic data. You can’t protect it if you don’t know that you have it.
- Why do we collect that data?
Once you’ve determined what data is being collected by the organization, the next step is to answer the “why?” This is where the rubber meets the road. If there is no specific business purpose to collecting the data (i.e., it is considered a “nice to have” or no one can really identify its purpose) then the organization should really examine whether it should change their practice. The more toxic data a company stores, the higher the liability exposure if the data is compromised or, in the case of GDPR, CCPA and similar laws, if the data is used inappropriately. The general guideline for data – if the data is not needed, it should not be collected.
- How does data flow through and out of our organization?
This one might seem obvious, but data has a habit of migrating through organizations if it is not carefully constrained. Understanding how different departments interact with the data, helps to develop appropriate controls in departments handle the toxic data. For example, if the “contact” form for your support group also provides information to your product group or your account management group, understanding where that data goes allows the organization to focus its resources on protecting those data flows and data stores. Additionally, it might bring to light data uses that were not widely known in the organization, allowing for a discussion of risk and appropriate data uses. Understanding the data flow allows the organization to use maximize the positive aspects of data use without “infecting” departments that have no need to access or use it.
As important as how the data flows through the organization is how the data flows out of it. What third parties are being used to support the business operation, and how do those organizations access and use data? Do they need the data to fulfill their obligations? Sitting down and going through these relationships can be extremely helpful in identifying critical vendors and helping to manage third party risk.
- How do we dispose of data when it is no longer needed, or a deletion request is received?
The issue of data disposal, “deletion” or “erasure” is certainly complex and worth speaking with counsel about when drafting and implementing policies and practices. For the purposes of this discussion, the question is how an organization can ensure that such toxic data is appropriately removed from the network or systems. CCPA allows for anonymization or de-identification of data. This means that identifying information is removed so that the data element cannot be tied to an individual. Organizations must also balance their regulatory obligations to maintain records against the consumer request. While the regulatory obligation will supercede the deletion request, it is possible for organizations to meet the spirit of a deletion request while maintaining its legal obligation for record keeping. Doing so requires careful planning and execution and a clear understanding of privacy requirements.
- How do we disclose our data privacy practices?
The central tenet of all privacy laws, and the fair information principles on which they are based, is providing the consumer with ability to make a clear, informed decision about how their personal information is collected and used. To further that objective, organizations must disclose clearly and explicitly the ways in which data is collected and used. Further, consumers must have easily identifiable mechanisms to make privacy-related requests of the organization. And the notice must be provided PRIOR to the collection of data. If data is shared with third parties, that, too, must be disclosed. This allows the consumer the ability to really understand why certain data elements are being collected and they are being used before they consent to share it.
Designing, implementing, and maintaining a privacy program is an “all hands on deck” operation. Every department must be bought it to get a comprehensive picture of the organization’s privacy prognosis and create a “treatment plan” for the toxic data. This also assists in obtaining organization-wide buy in on the program.
Personal information is the currency of this age. Consumers will trade privacy for convenience. The Center for Data Innovation found that 58% of Americans are willing to trade their personal data for a greater level personal convenience. That gives organizations a great deal of power, but also a great deal of responsibility. In order to ensure that companies are mindful of that obligation, states are taking the lead in establishing consumer rights with respect to how data is collected and used. Understanding your organizations relationship with potentially toxic data can help keep everyone, business and consumer, safer.