Face it, privacy affects us all
At the end of September, I presented at the annual InfoGovCon17 conference, in sunny Providence, RI. I introduced information privacy, a key part of unified governance that’s accelerated by the pending EU GDPR that goes live in less than 240 days. I find there's still a lot of confusion (does it even apply to my business?), alternative facts (all my data is in the US) and risks (I'll just wait and see if it really gets implemented/enforced).
Understanding the scope of GDPR
Certainly, data privacy, even personal data privacy has many cultural differences between both sides of the pond. In the US, our personal data is part of a multi-billion dollar industry, where the collection, analysis, forecasting and marketing of the data are key drivers. Meanwhile in the EU, personal data is viewed simply as such — personal. Regulations within and across multiple EU countries for more than two decades have upheld the citizens’ fundamental right principal, providing higher expectations of personal data protection (security and controls). In multiple EU countries for some time I could file a data query and find out what was held on me. Or, you may have heard of the Spanish regulation, imposing the “right to be forgotten” on Google (rather, it’s the right to be filtered from search results, not quite “forgotten” or “erased”).
GDPR brings into force a raising of the bar across all 28 member states of the EU across the duties, privileges and obligations on and around personal data and its protection. The scope includes anyone in the EU, long term or temporary, on and around their personal data. It also includes anyone consuming goods or services from the EU, wherever they or their data is in the world. GDPR is not just for those living in the EU or for data in an EU data center. To see if GDPR will impact your organization, it may help to consult your regulatory compliance and legal counsel. Next, complete the Privacy Impact Assessment (PIA) provided by government entities to find out if and where your gaps against the regulation may be. Once you have an idea of where the gaps are, you can draw up a program plan to execute work streams so you are prepared for the upcoming regulation deadline.
Defining personal data
So, what is personal data? Personal data is not quite the same as Personally Identifiable Information (PII), as defined and used in the US (not EU). For example, your IP address in the US is not considered personal, but it most definitely is within GDPR. GDPR is all about personal data, any information that can directly or indirectly identify you as a living person. Major categories include financial, medical, education and political; special categories include your genetic information. This brings up the question: What personal data does your business depend on?
Today, ever-more personal data can be found around us. We may not realize it, but the data may be captured without our consent or knowledge. We rarely see how it’s used, nor the many apparent benefits or results. We’re used to seeing a telephone number, bank account number and SSN as personal data in the US, but the list continues. These categories are easy for technology to identify, find, classify and take action on, so it’s a good place to start for those beginning their GDPR readiness journey and trying to identify what data your organization stores.
Finding and redefining personal data
Finding personal data quickly is a challenge and risk, with very few types of personal data being searchable by simple patterns. This personal data discovery challenge is a current risk to many cloud providers. It can be difficult to find patterns within personal data, but now with machine learning and cognitive capabilities like training sets, the discoverability of the data has changed once again.
Yet, it's getting harder. The new iPhone X launched on September 12, moving away from fingerprints (personal biometric data) to something both very public and private — your face. Now your face is another form of (biometric) personal data, which can directly identify you and unlock your device and then financial and other transactions around it. Do you have a change-your-password every X days policy at work? How often will you change your face? But face it (yes, a pun), your face is different than other personal biometric information in that it’s public. As you walk around, you could be photographed or video recorded from a distance. In the US the FBI has a facial database of many of us. Used to spot any number of categories of people at events, stadiums and who knows where else. And, it gets even more personal and private with recent photo identification studies even being able to suggest sexual preference. In the upcoming years, my husband and I will have to be aware of public institutions with more restrictive regimes where alternate preference status can be a crime and lead to worse.
Spotting location data
Location data is another example. We let ourselves be tracked and track others, for convenience and safety, by carrying a digital device that’s often automatically recording where we are and have been, time stamped. We also proactively share our location data with online apps and services, like Waze, to aggregate our data with others, for helping navigate and avoiding traffic issues. Take any of this data and organizations can know your precise speed at each location on the journey, including start and end times, and calculate that you must have been exceeding at least one segment’s speed limit. In real time. Cha Ching. Turning off your phone? In the UK the Average Speed Cameras on motorways (highways) will automatically identify, track and fine each speeding vehicle.
These are some key themes around GDPR for personal data and its protection to think about. If you missed my session on the main stage at #InfoGov17, you can learn more about how to prepare for GDPR and how to integrate your readiness strategy into your overall unified governance roadmap today.