Gray Areas of Data Privacy You Need to Know About
Looking at the global economy one might guess that the most valuable resource must be oil or the ability to generate energy. If any of these were your guess, your mind will blow. The most valuable resource in the global economy today, is data, big data. Data can improve business processes and fast-track market research. And more importantly, allow organizations to innovate and develop custom marketing that fits potential customers like a glove. With the vast volumes of data being curated globally today, concerns about data privacy gray areas have become crucial to organizations. Even though data privacy regulation aims to guide organizations to responsibly curate client data and personally identifiable information, there are some scenarios where the curation of client data comes down to a reasonable man test.
Giving rise to complicated questions, such as: “Are abandoned cart emails GDPR compliant?” for example, clearly indicates that gray areas do exist in the realm of data privacy.
What Kind of Information is Under Data Privacy Regulation?
Although one might think that personally identifiable information is a common umbrella term that for all personal data, this is not the case. The following subsections of information are regarded as private data and need not be protected by their curator.
Personally Identifiable Information
This kind of information is information that can be utilized to unveil someone’s identity. This includes contact information. With this kind of information, the curator can differentiate one person from another in a dataset. This typically includes values such as names, surnames, social security numbers, and contact details such as residential addresses and telephone numbers for data privacy.
Personal Medical Information
Medical information includes the medical history of the person along with any auxiliary information utilized by medical professionals and institutions. Information such as medical insurance details and to some extent any records relating to medical financial obligations. In short, any medical information that is relating to a specific person, and to identify such a person.
Personally Identifiable Financial Information
Regulatory compliance includes provisions to protect the personal financial information of individuals and organizations. Any information ranging from account numbers, transaction histories, and any other auxiliary information utilized to provide tailored financial services to clients. This includes any analytic data that could be utilized to identify a person or organization.
Personal Academic Records
Schools and other academic institutions are responsible for protecting any grades, billing information, and transcripts of their students. Class schedules are to some extent included in this category since they could be utilized to personally identify and single out a person.
What Kind of Information is not Under Data Privacy Regulation?
There are categories of information. This would be any information about a person that is publicly accessible, like phonebooks or internet directories, for example. Device IDs are sometimes not part of the regulated information of clients since a client cannot be identified directly through it.
What are the Gray Areas of Data Privacy and how does this Impact you?
While the rules of data protection might seem to be, a one size fits all bucket of guidelines. But it is not. First, most countries around the world have, in the last decade, designed and published legislation to govern how personal details of people need to be curated and protected. There are however some countries that either have not committed to their draft legislation. And there are others that do not have any legislation to protect personally identifiable information
Another discrepancy regarding the legal responsibility organizations need to take for the personally identifiable information they curate. It is the specific industry the organization finds themselves operating in.
An example of this is the difference between GDPR and HIPAA. GDPR has an umbrella scope and HIPPA has a specific focus on medical information. Between one and the other, based on some very specific scenarios, would be some inevitable data protection gray areas.
To ensure watertight regulatory compliance every organization needs to consider where their customers are based and the organization’s operating jurisdiction. Each instance of personal information should be dealt with, with the highest possible level of protection. Only curating data, which is required.
Obtain people’s express permission before adding them to your prospect database and sending them material or promotional offers. This is especially important in states where comprehensive data privacy legislation is lacking. The good news is that the vast majority of businesses who actively advertise to prospects with content. And promotional offers are already doing this.
Do not make the assumption that the absence of an ethical boundary no longer exists just because you have the approval of your customers. When someone gives you permission to contact them, they are giving you permission to do so with relevant and acceptable. Ignoring the small print for a moment, this means that you have their consent to contact them with relevant and appropriate content and offers. The first person to do so will be the next person who gives their permission for spamming. Or hear services that are totally unrelated to what they are looking for.
To put it another way, simply because you have the consumer’s permission to contact them via an opt-in mechanism does not absolve you of the responsibility of exercising sound ethical judgment when deciding how often. And with what kind of offers to contact the customer. Whether they have given their consent or not, if it seems as like you are reaching out to them an excessive amount of times or with an excessive number of different offers, you definitely are.
Adhar Dhaval is experienced portfolio, program and project leader with demonstrated leadership in all phases of sales and service delivery of diverse technology solutions. He is a speaker sharing advice and industry perspective on emerging best practices in project leadership, program management, leadership and strategy. He is working for the Chair Leadership Co.