June 10, 2020
Classifying data with purpose
All data has varying levels of allowed and restricted access. For example, when a customer orders products from Amazon, the online retailer collects specific data to process the order, such as names, addresses, and credit card information. All of this data is personally identifiable information (PII), and therefore protected under data privacy laws.
After collecting a customer’s data, organizations may want to use the data to conduct market research about customer buying patterns or sell the data to a third-party vendor. But is the company allowed to use the data for these purposes?
Up until recently, organizations had virtual carte blanche to use any data they collected for any purpose desired. But with the advent of more and stronger data privacy rules organizations can no longer do what they want with the data they collect. For example, according to specific compliance regulations, they can’t use data to process purchasing orders in their marketing analysis or to sell to other vendors if the consumers do not expressly permit these additional purposes.
In fact, the General Directive Privacy Regulation (GDPR) requires organizations that process European Union citizens’ personal data to clarify the purposes for which they are collecting data. As a result, companies now have to manage their data according to what purpose or purposes it serves within their organizations. When they do, they also improve their internal data access controls.
GDPR’s “Right to Access” rule
An example of consumers’ privacy rights are the GDPR’s “Right to Access” rule in which EU consumers have the right to access their personal data and make special requests from organizations. In the fulfillment of this right, an organization’s obligations include two stages:
1 — The controller must check whether or not any personal data of the person seeking information is being processed and report back to them.
2 — If the organization is processing the subject’s person data, it must provide the consumer with the following information:
- The processing purposes of the data.
- The categories of personal data processed.
- The recipients or categories of recipients.
- The planned duration of storage or criteria for their definition.
- Information about the rights of the data subject, such as rectification, erasure, restriction of processing, and the right to object.
- Instructions on the right to lodge a complaint with the authorities.
- Information about the origin of the data, as long as it was not collected from the data subject himself or herself, the existence of any automated decision-taking process, including profiling, with meaningful information about the logic involved as well as the implications and intended effects of such procedures.
- If personal data is transmitted to a third country without an adequate level of protection, data subjects must be informed of all appropriate safeguards which have been taken.
Once the consumer receives this information from the organization, he or she is free to request removal of their personal data. At this point, according to the GDPR: “Personal data must be erased immediately where the data are no longer needed for their original processing purpose, or the data subject has withdrawn his consent and there is no other legal ground for processing, the data subject has objected and there are no overriding legitimate grounds for the processing, or erasure is required to fulfill a statutory obligation under the EU law or the right of the Member States.”
To fulfill the request, the organization will need to locate a requestor’s personal data wherever it lives by searching across its data ecosystem. The search needs to identify the specific systems and locations that contain the consumer’s personal data.
However, the vast majority of companies simply do not have the tools in place to access and monitor the volume, variety, and velocity of personal data flowing in, out, and across their organizations — let alone find one individual’s personal data that is being used for marketing purposes.
Not only is discovering individuals’ data across hundreds of sources a potential data-discovery nightmare, there is another catch. If the person is a regular Amazon customer, for example, he or she likely wants the company to retain their information for the purpose of fulfilling their future shopping orders, while deleting it only for marketing purposes.
Only if individuals’ personal data is appropriately classified and tagged for both purposes can the organization easily and quickly conduct a search for that data and delete it. In this way, with very little effort, the organization can meet its obligation to the individual and the compliance regulation. As a result, this advanced process will ensure the organization lowers the risks of non-compliance penalties and public ill will.
Internal data access rights
Another aspect of classifying data according to its purpose is controlling who exactly has access to the data internally. The only employees who should have access to personal data are those who need to access it for specific business purposes.
For example, by it’s very nature, human resource departments retain a lot of PII data on a company’s employees, including credit reports, medical information, and benefits information. However, there are restrictions on specific reasons for retaining data. Access should be granted to employees — such as sales, marketing, finance — based upon the data’s actual purpose.
A sophisticated data classification policy and software allows organizations to conquer their internal data access challenge by facilitating the enforcement of data access rights. As such, the internal access restrictions are informed by data’s purpose-based classifications.
Achieving these two critical business goals requires a data classification schema to be sophisticated enough to allow organizations to organize the data at a granular enough level to comply with the privacy laws, while still conducting business.