Privacy isn’t just a series of things you do; it’s a philosophy that drives the things you do to implement a privacy program. So, embracing that philosophy up front is your starting point through the maze of compliance issues you’ll face.
The core concept behind privacy as a legal and compliance matter is that virtually all information about a person is owned by that individual who, within some very broad limits, has a right to control how it’s used. Seems simple enough, but there are profound consequences that flow from this philosophy.
Let’s start with the act of collecting personal information. Because people own it, you can’t just collect it: you need to obtain permission first. Individuals have a right to know what you’re going to do with their information before they allow you to collect it—and, in any case, are under no obligation to grant that permission.
In the past, your website may have collected information without explicitly informing people you were doing so. Customer reps on the phone might have been collecting data without telling people they were keying it into a computer system. No longer—people must be given reasonable notice of what you’re doing, and must be given the opportunity to refuse to provide information. That may prevent you from completing a transaction with them, which you can legitimately decline to do in most cases, but you can’t hide the ball.
For instance, the EU recently clarified that an action like simply scrolling down a webpage cannot be considered consent to collect cookies, regardless of whatever disclaimers your cookie warning conveys. Affirmative, explicit consent to store or process personal information under GDPR requires a person to take a specific action intended only to provide consent.
And of course, since you have some liability in the case of noncompliance with privacy regulations, you have to keep track of all the permissions and the language of the disclosures so you can prove you did everything right.
For a lot of organizations, this is an entirely new set of rules that may require significantly reengineering processes, from redesigning websites to updating intake forms to drafting and vetting legal disclosures.
Now, having told people what you’re going to do with their information, you have to make sure you actually do it. That’s another heavy lift.
There are exceptions to the permission requirements—employment information for example. You can’t really employ someone without collecting a lot of personal information, and neither of you has any real choice in the matter. Much of the information is required by law and the rest is a practical necessity, since you can’t pay employees or provide them with health insurance without knowing some things about them. Even then, however, disclosing the uses you intend to put the information to is mandatory in many places, and certainly good practice everywhere.
You can’t just keep personal information forever, stored away in a database or filing cabinet, so you must have a retention schedule. You’ll have to figure out how to apply that schedule in an electronic system that might not be very good at retention, or a messy physical filing system.
And then there’s access: your disclosures should have contained some access restrictions specifying who’s allowed to look at the information and why. The very nature of the information—say personal medical information or bank account numbers—may clearly imply the need for access restrictions, data security and the like. Either way, you now need to build or alter some processes to assure reasonable protections for the data. For other kinds of personal information, self-service access to the information you collect and granular control over that information can be enabled by technology.
As you can see, there’s a lot of process engineering, and re-engineering, involved in assuring data privacy, and we’ve only just begun. Accommodating the basic concept of privacy compliance—asking for permission and disclosing the uses of the data—involves substantial effort, and may require substantial budget. If you’re implementing a privacy program, you need to bear this in mind. The philosophy may sound simple, but the implementation rarely is. So keep a firm foot on the accelerator.
Next time we’ll continue this discussion by looking at some other key aspects of privacy.
For more on how to ensure PII is collected responsibly, check out this webcast recording: Webcast: Privacy Impact Assessments – Why You Need Them, What You Need to Know