June 8, 2020
The Evolution of Data Classification
You may have noticed an increase in the number of websites that require your consent before you can browse them. This is related to stricter regulatory guidelines. You have to check the box so that the organization can stay in compliance.
In the past, tracking technologies were not regulated. Website owners could freely collect visitors’ data and use it for any purpose they desired. That has changed. Today, it’s not enough to merely tell a website visitor that cookies are being used, but also that visitors must actively give their consent. Organizations will likely need sophisticated data privacy software to manage that consent and to classify the sensitive data that they process.
Similarly, new and evolving data privacy regulations also require an individuals’ consent for how organizations use their private data, including today’s two new stricter data privacy rules — the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
Both GDPR and CCPA introduced the concept of requiring organizations to have a lawful basis for processing an individual’s information. Organizations must answer questions such as: Why are you collecting particular information? What purpose do you have for processing that information?
So what does this mean when it comes to data classification? First, a look at each regulation’s consumer consent rules.
GDPR’s New Rules for Data Processing Consent
GDPR was the first compliance regulation to add major new rules around an individual’s consent for use of their data. Processing personal data is generally prohibited unless a law expressly allows it, or the data subject has consented to each way in which it is processed.
Notably, organizations must obtain each individual’s consent, not just for the one process, but also for every process for which the data is used. In other words, if Company X collects personal data to process an individual’s product order, it does not also have the right to use that same data to conduct marketing research or sell the data to a third party.
Here is an abbreviated overview of the GDPR’s data-use consent rules. Organizations that process the personal data of European Union citizens must:
- Receive prior consent from individuals before collecting any data.
- Obtain consent for each purpose for which the data is being used, for example, for order processing, analytics, and marketing. An active opt-in is required for each process. If an individual doesn’t approve, the organization is not allowed to process the data for a particular purpose.
- Provide an easy option for withdrawing consent.
- Document each processing consent received from users.
CCPA’s New Rules for Data Processing Consent
Like GDPR, CCPA gives consumers new rights to their data, including a “right to know” (aka transparency) about how their data is being used, a right to access, and a right to opt-out of having their data sold (opt-in for minors) to third parties. Any organization that processes data from California citizens must comply as they long as they meet the threshold for revenue or number of data records processed.
Organizations must inform consumers about the categories of information they are collecting and the purpose for which it’s being collected at or before the point the information is collected. Consumers can refuse consent at any point. If a consumer agrees to data collection, he or she has additional rights:
- They can make an access request for their personal information to receive more detail about the specific pieces of information held by the business or third parties.
- They have the right to delete their information (with some exceptions).
- If they exercise their data privacy rights, they can’t be discriminated against by being denied goods or services.
Comparing the two new regulations, GDPR is focused on creating a “privacy by default” legal framework for the entire EU, whereas CCPA is focused on creating transparency in California’s expansive data economy and consumer rights culture. Simply stated, the GDPR requires opt-in consent from EU consumers and the CCPA requires California consumers to opt-out.
“Where the GDPR creates a door for the EU user to lock prior to any data processing, the CCPA creates a window for the Californian consumer to open to find out what data has already been obtained by a business or sold to a third party,” said Cookiebot, in an apt metaphor.
Data Classification for Processing
To effectively and consistently manage the consent rules for both GDPR and CCPA — and any new and stricter regulations that come on board in the future — organizations would benefit greatly by classifying their data according to how they intend to process it.
Classifying data for processing begins with asking simple questions: What data are you collecting? How are you processing it? The answers are critical because organizations need a lawful reason for processing the data they collect.
To classify data according to processing and consent, various tags can be applied to the data, for example:
- Personally identifiable data (PII)
- PII for order processing
- PII for marketing analytics
- PII for selling to third parties
These additional labels help organizations manage both data privacy programs and compliance. When data is classified with tags like these, understanding how it’s processed is clear to the organization and it allows for easy access when individuals request information or for their data to be deleted.
Two classification sub-categories that fall under the process-based category are purpose-based classification and privacy-based classification.