In the past few months the amount of talk, advice, debates, and claims about the EU General Data Protection Regulation (GDPR) which goes into effect May 25, has escalated to a fever pitch. I’ve gotten many questions about what needs to be done, and most of the questioners demand a yes or no answer; which with GDPR, and most other data protection regulations and laws, is not possible given the differences from one organization to the next, and the need to consider the context of the situations within which personal data is accessible.
And there is the rub. Most organizations do not know really know or understand what “personal data,” the GDPR term (the labels/names vary by regulation, law, and country), is as it applies to their organization. These organizations, if they fall under the US Health Insurance Portability and Accountability Act (HIPAA), will use the term “protected health information,” or PHI. Organizations that fall under the US Gramm-Leach-Bliley Act and associated laws and regulations will use the term “nonpublic personal information,” or NPI. And the list could continue on for many pages/screens. I will use the term “personal information” as a generic term for all types of information that has some type of applicable legal requirements for protection under any type of law or regulation.
Views on personal data vary greatly
I’ve heard an interesting range of many statements about what business executives, information security and privacy managers, and contracted vendors (“data processors” is the term used by GDPR) consider to be “personal data.” In fact, I’ve been compiling statements of viewpoints I’ve heard at conferences and meetings about what people believe constitutes personal data. Some of the most incorrect and alarming beliefs, include:
- “We’re [cloud services providers, managed services providers, insert other contracted vendor type here] so we don’t need to comply with any data protection regulations. That is completely the responsibility of our clients. So, in our view, we don’t have any personal data that we need to worry about; that is someone else’s worry.”
- “All the information we have, such as names, addresses, and phone numbers, are all publicly available. Our lawyer told us that if data is publicly available, then it is not personal data that needs to be protected under any data privacy laws.”
- “We only have IP addresses, and GPS location data. That is not personal data.”
- “Yes, we have birthdates, gender, and city information about people. But, those data items on their own can point to many different people. So, because that is not personal data, we aren’t going to worry about applying any regulatory controls to that data. To do so would be a waste of our time and security budget.”
Regulatory definitions of personal data
Has your organization defined what is considered to be personal data within the context of your business environment? Before you can ever verifiably state that you are doing all you can to be in compliance with GDPR, you must first understand and document what is considered be personal data within your organization, within the context of your business operations. Then, following that definition, you must know where the personal data comes into your business, where it goes throughout your business, outside entities with whom you share it, and how you retain and then dispose of it (all important other topics for another time).
The GDPR is quite broad when it comes to all the forms and types of things considered to be “personal data.” Here are the applicable definitions from the regulatory text:
Item 1: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Item 13: ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
Item 14: ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
Item 15: ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’).
The USA Health Insurance Portability and Accountability Act (HIPAA) includes a very specific list of 18 information items that are listed explicitly as PHI. Of particular note is the additional type of catch-all information item: “Any other unique identifying number, characteristic, or code.” Think about that. If there is anything, such as a tattoo, and unique voice, an unusual mole, or anything else viewable or audible that can be tied to a specific individual, then it could be considered to be PHI.