With the effective date of the European Union’s General Data Protection Regulation (GDPR) rapidly approaching, there is heightened awareness among many organizations about their need to institute the proper controls to prevent exposure of sensitive data. The GDPR is relatively explicit about classification of data as sensitive, and the types of controls and processes necessary for compliance. But in some ways it's just a starting point for ensuring that individual data privacy concerns are being addressed.
As a general rule, over the past two decades (basically, since the mainstreaming of the world wide web), many people were willing to passively barter access to a wide range of personal information in return for convenience – so passively, in fact, that most people weren't even aware they were doing it. Yet the increased sophistication of streaming data ingestion and analytics means that each time you visit a website, run a search query using a “free” search engine, or play a game that you “freely” downloaded from your smartphone’s app store, you are likely to be exchanging some amount of personal data that's being collected, processed and analyzed. Little by little, your personal profile is being constructed based on the search terms you use, the types of products you ponder on e-commerce websites, and the steps you take while playing that game. That personal profile is chock full of sensitive information. Imagine how many people would be horrified if their search engine search terms were made public!
How to best anticipate data privacy concerns: Two levels
When it comes to anticipating the various data privacy concerns that should be addressed, we can break it down by looking at two levels of concern. The first is protection against inadvertent exposure. An example of this is a security breach, in which external agents are able to break through the firewall and gain access to your systems. And while you might question my saying that this is an “inadvertent” breach (certainly the hackers intended to gain access, right?), it is possible to anticipate and protect against data exposure by encrypting personal and sensitive information.
The second level of data privacy concerns relates to whether your company is taking advantage of individuals' personal information. On the one hand, the consumer might see some benefit to this (such as when an online retailer limits the products presented on a page to those that a customer is actually interested in buying). On the other hand, the potential ways personal data can be monetized can have profound yet unexpected impacts.
As an example, consider what appears to be a simple trivia game app on your phone. It might be fun to try to get all the answers and perhaps maybe even win a prize. But what if you found out that the company is developing personal intelligence profiles about each player and is selling that data to recruiting companies? The fact that a person got a few answers wrong on some trivia quiz might factor into a profile assessment that is used to assert that the same person is not suited for a particular position.
Data privacy concerns with the GDPR
The GDPR is a sign of growing awareness of the degree to which an individual’s personal information has been (and continues to be) collected and exploited. In some cases, it indicates a turning of the tide in terms of the value proposition of data collection. Instead of presuming the right to accumulate personal data, your company may actually benefit from having a set of policies that are intended to alleviate data privacy concerns. Examples include limiting the amount of personal data that's collected, reducing the amount of time that it's stored, and allowing for personal data to be deleted based on the customer’s request.
It signals a level of respect for your customers to institute data protections that are explicit and tangible. That implies a combination of governance and technology. Governance, of course, provides the means by which policies are defined and enforced. Yet we still need technologies to help in profiling data assets (to figure out what types of data are stored) as well as classification of data to specify the levels of sensitivity. Putting this kind of program in place is a positive step in establishing trust with your customers.
Download a paper The GDPR: What It Means and How SAS Data Management Can Help