- A lawful and business purpose for collecting PI
- When data management = risk management
- Simplify compliance with data inventory
Read more below.
When the GDPR went into effect in 2018, there was concern about its data management requirements, and there was no doubt some concern when it became clear that GPDR did not specify how an organization’s processing data inventory should be performed and updated. Leaving organizations to determine their own data mapping and inventory operations.
GDPR did, however, expand definitions of personal information, and in doing so, it became the “big bang” of an ever-complex universe of regulated data. As personal information and its business use expand, data inventory or mapping becomes key to achieving compliance, whether mandated or not. The question for privacy teams is no longer whether to track personal information within their organizations, but how.
The Expanding World of Personal Information
For decades, privacy laws used simple definitions of personal information: name, address, birthdate, etc. But as technology found more ways to identify people, from biometric data to behavior patterns, organizations found ways to profit from that information. GDPR was the first regulation to take a hard line on digital privacy with a wide definition of personal information, including a person’s “genetic, mental, economic, cultural, or social identity.”
Since its passage, numerous countries have followed suit with similar laws. In the U.S., the California Consumer Privacy Act (CCPA) set a precedent by expanding PI definitions to include online activity, geolocation data, and a variety of biometric information. The California Privacy Rights Act (CPRA) is even more GDPR-like, not only adding a category of “sensitive personal information,” but also requiring organizations to show a “lawful and business purpose” for collecting personal and sensitive information and to notify consumers of that information collection and its purpose.
The new regulation specifies fines of up to $2,500 per violation or up to $7,500 per intentional violation or per violation involving minors.
When Data Management = Risk Management
Given regulatory trends, privacy teams now need a clear and complete picture of what personal information their organizations hold and how they use it. The question is how to approach this time-consuming task and how to free up the resources to do it. (“Data mapping” in this case means mapping collections of regulated data across business networks, not to be confused with the IT practice of mapping elements between data models.)
The first consideration is what kind of data inventory to create. A traditional inventory would include:
- A list of regulated data
- The owners of those data collections
- Data elements included in those assets
- Where and how the data is transmitted, stored, and used
- Size of the data stores
- How the data is protected (e.g., encryption, de-identification, etc.)
Some organizations also assign sensitivity levels to different data sets based on factors such as mitigation measures, the collection size, the vulnerability of the individuals represented (e.g., children), and the jurisdiction(s) where the individuals reside.
Another approach to data management is to create a “data processing inventory” (described in more detail in this Nymity article) which focuses more on how regulated information is processed and by whom, where it is transferred, and how long it is retained.
In practice, most organizations will want to combine these approaches: the traditional inventory will be most helpful in assessing the risk from a given incident, while the data processing inventory is invaluable in proactive risk assessment and in managing disclosure and consent requirements.
Because data inventories are a heavy lift, most organizations will want to approach them incrementally. Determine what information should be included and what areas of the business to catalog first, then refine the inventory and add to it over time.
A data inventory will be a living document, changing as regulations change and as the organization’s data collection and usage change. To stay ahead of changes, privacy teams will want to build relationships with subject-matter experts in different business functions, who can alert them to potential changes in data collection or usage.
If the privacy team can be notified and included in planning for new business initiatives, they can gather the necessary information to update the data inventory and may even be able to advocate for data minimization. (Businesses sometimes gather data just because it’s there, but the lowest risk data is the data that’s never collected at all.)
Find Time to Save Time
In the long run, a data inventory will simplify compliance. But how can you find time and resources to create and maintain data inventories while staying on top of changing regulations plus day-to-day tasks: privacy training, policy and process management, and incident response.
Strategic investment can help jumpstart data mapping efforts, using data inventory software and/or consultants to help your team get started. Another winning strategy is to automate risk assessment and incident response processes, with an incident response engine that helps your team cut response times and provides an up-to-date view of national and international regulatory requirements.
In addition, an incident response engine such as Radar can be integrated with data mapping tools, giving the incident response team quick access to the information in your data inventory and organizational knowledge such as pre-assigned sensitivity levels. Remember the old “The More You Know” campaign to keep kids in school? Well, the better your tools, from data inventories to an incident response engine, the more time you’ll save and the more you’ll know how to stay in compliance as the regulatory universe expands.
Learn more about how Radar can help privacy teams stay up-to-date on regulatory changes.