In the past few months the amount of talk, advice, debates, and claims about the EU General Data Protection Regulation (GDPR) which goes into effect May 25, has escalated to a fever pitch. I’ve gotten many questions about what needs to be done, and most of the questioners demand a yes or no answer; which with GDPR, and most other data protection regulations and laws, is not possible given the differences from one organization to the next, and the need to consider the context of the situations within which personal data is accessible.
And there is the rub. Most organizations do not know really know or understand what “personal data,” the GDPR term (the labels/names vary by regulation, law, and country), is as it applies to their organization. These organizations, if they fall under the US Health Insurance Portability and Accountability Act (HIPAA), will use the term “protected health information,” or PHI. Organizations that fall under the US Gramm-Leach-Bliley Act and associated laws and regulations will use the term “nonpublic personal information,” or NPI. And the list could continue on for many pages/screens. I will use the term “personal information” as a generic term for all types of information that has some type of applicable legal requirements for protection under any type of law or regulation.
Views on personal data vary greatly
I’ve heard an interesting range of many statements about what business executives, information security and privacy managers, and contracted vendors (“data processors” is the term used by GDPR) consider to be “personal data.” In fact, I’ve been compiling statements of viewpoints I’ve heard at conferences and meetings about what people believe constitutes personal data. Some of the most incorrect and alarming beliefs, include:
“We’re [cloud services providers, managed services providers, insert other contracted vendor type here] so we don’t need to comply with any data protection regulations. That is completely the responsibility of our clients. So, in our view, we don’t have any personal data that we need to worry about; that is someone else’s worry.”
“All the information we have, such as names, addresses, and phone numbers, are all publicly available. Our lawyer told us that if data is publicly available, then it is not personal data that needs to be protected under any data privacy laws.”
“We only have IP addresses, and GPS location data. That is not personal data.”
“Yes, we have birthdates, gender, and city information about people. But, those data items on their own can point to many different people. So, because that is not personal data, we aren’t going to worry about applying any regulatory controls to that data. To do so would be a waste of our time and security budget.”
Before you continue reading, how about a follow on LinkedIn?
Regulatory definitions of personal data
Has your organization defined what is considered to be personal data within the context of your business environment? Before you can ever verifiably state that you are doing all you can to be in compliance with GDPR, you must first understand and document what is considered be personal data within your organization, within the context of your business operations. Then, following that definition, you must know where the personal data comes into your business, where it goes throughout your business, outside entities with whom you share it, and how you retain and then dispose of it (all important other topics for another time).
The GDPR is quite broad when it comes to all the forms and types of things considered to be “personal data.” Here are the applicable definitions from the regulatory text:
Item 1: ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;
Item 13: ‘genetic data’ means personal data relating to the inherited or acquired genetic characteristics of a natural person which give unique information about the physiology or the health of that natural person and which result, in particular, from an analysis of a biological sample from the natural person in question;
Item 14: ‘biometric data’ means personal data resulting from specific technical processing relating to the physical, physiological or behavioural characteristics of a natural person, which allow or confirm the unique identification of that natural person, such as facial images or dactyloscopic data;
Item 15: ‘data concerning health’ means personal data related to the physical or mental health of a natural person, including the provision of health care services, which reveal information about his or her health status;
This Regulation also provides a margin of manoeuvre for Member States to specify its rules, including for the processing of special categories of personal data (‘sensitive data’).
The USA Health Insurance Portability and Accountability Act (HIPAA) includes a very specific list of 18 information items that are listed explicitly as PHI. Of particular note is the additional type of catch-all information item: “Any other unique identifying number, characteristic, or code.” Think about that. If there is anything, such as a tattoo, and unique voice, an unusual mole, or anything else viewable or audible that can be tied to a specific individual, then it could be considered to be PHI.
Personal information refers to any information whether recorded in a material form or not, from which the identity of an individual is apparent or can be reasonably and directly ascertained by the entity holding the information, or when put together with other information would directly and certainly identify an individual.
Privileged information refers to any and all forms of data which under the Rules of Court and other pertinent laws constitute privileged communication.
Sensitive personal information refers to personal information:
(1) About an individual’s race, ethnic origin, marital status, age, color, and religious, philosophical or political affiliations;
(2) About an individual’s health, education, genetic or sexual life of a person, or to any proceeding for any offense committed or alleged to have been committed by such person, the disposal of such proceedings, or the sentence of any court in such proceedings;
(3) Issued by government agencies peculiar to an individual which includes, but not limited to, social security numbers, previous or cm-rent health records, licenses or its denials, suspension or revocation, and tax returns; and
(4) Specifically established by an executive order or an act of Congress to be kept classified.
“personal data” means data, whether true or not, about an individual who can be identified —
(a) from that data; or
(b) from that data and other information to which the organisation has or is likely to have access
And there are literally hundreds of other personal information definitions in other data protection regulations and laws throughout the world. Use the definitions above, and from the laws and regulations that apply to your organization, to lead you in defining what constitutes personal information within your organization.
Define and locate personal data
You cannot protect personal information if you don’t know where it is located. All organizations that possess personal information of any kind (and can you think of any that don’t?) need to decide upon a way to identify and inventory that data so that they can effectively secure it.
And business leaders, from the largest to smallest organization and in all industries, must remember: just because a personal information item/identifier is found online does not mean that it no longer needs protecting in all the vast many other contexts within which it is used. It is still personal information.
Context has significant impacts upon privacy whenever individual personal identifiers are involved. If your organization collects, processes, creates or otherwise uses personal information, you must apply effective safeguards to protect it…regardless of whether or not the individual information items may be found somewhere online.
When considering the information items your organization collects, derives, stores, processes, and otherwise accesses, it is important to make sure you have determined and documented the information items considered to be personal information. You can start by looking at those that are explicitly defined within all the laws, regulations, standards, policies, contracts and any other legal commitments with which your organization must comply. Then add to this list any other information items that on their own could point to a specific individual. Then document all the sources, methods and locations for where personal information is brought into your organization, where is it accessed from within your organization, with whom (when, how and why) it is shared outside your organization, how long your retain personal information, and how you irreversibly destroy personal information when it is no longer needed to support business functions or legal requirements.
More on personal data
I’ve written about this topic often over the past two decades. For example, here are just few of my articles: