Gray Areas of Data Privacy You Need to Know About
Looking at the global economy one might guess that the most valuable resource must be oil or the ability to generate energy. If any of these were your guess, your mind is about to be blown. The most valuable resource in the global economy today, is data, big data. Data can be utilized to improve business processes and fast-track market research, and more importantly, allow organizations to innovate and develop custom marketing that fits potential customers like a glove.
With the vast volumes of data being curated globally today, concerns about data privacy have become crucial to organizations. Even though regulatory frameworks aim to guide organizations to responsibly curate client data, there are some scenarios where the curation of client data comes down to a reasonable man test. Giving rise to complicated questions, such as: “Are abandoned cart emails GDPR compliant?” for example, clearly indicates that gray areas do exist in the realm of data privacy.
What Kind of Information is Regulated
Although one might think that personally identifiable information can be seen as a common umbrella term that can be utilized for all personal data, this is not the case. The following subsections of information are regarded as private data and need not be protected by their curator.
Personally Identifiable Information
This kind of information is information that can be utilized to unveil someone’s identity. This includes contact information. With this kind of information, the curator can differentiate one person from another in a dataset. This typically includes values such as names, surnames, social security numbers, and contact details such as residential addresses and telephone numbers.
Personal Medical Information
Medical information includes the medical history of the person along with any auxiliary information utilized by medical professionals and institutions. Information such as medical insurance details and to some extent any records relating to medical financial obligations. In short, any medical information that can be directly linked to a specific person, and could be utilized to identify such a person.
Personally Identifiable Financial Information
Regulatory compliance includes provisions to protect the personal financial information of individuals and organizations. Any information ranging from account numbers, transaction histories, and any other auxiliary information utilized to provide tailored financial services to clients. This includes any analytic data that could be utilized to identify a person or organization.
Personal Academic Records
Schools and other academic institutions are responsible for protecting any grades, billing information, and transcripts of their students. Class schedules are to some extent included in this category since they could be utilized to personally identify and single out a person.
What Kind of Information is not Regulated
There are categories of information that are not regulated. This would be any information about a person that is publicly accessible, like phonebooks or internet directories, for example. Device IDs are sometimes not part of the regulated information of clients since a client cannot be identified directly through it.
What are the Gray Areas of Data Privacy and how does this Impact you?
While the rules of data protection might seem to be, a one size fits all bucket of guidelines, it is not. First, most countries around the world have, in the last decade, designed and published legislation to govern how personal details of people need to be curated and protected. There are however some countries that either have not committed to their draft legislation and there are others that do not have any legislation to protect personally identifiable information
Another discrepancy regarding the legal responsibility organizations need to take for the personally identifiable information they curate, is the specific industry the organization finds themselves operating in.
An example of this is the difference between GDPR and HIPAA. GDPR has an umbrella scope and HIPPA has a specific focus on medical information. Between one and the other, based on some very specific scenarios, would be some inevitable data protection gray areas.
To ensure watertight regulatory compliance every organization needs to consider where their customers are based and the organization’s operating jurisdiction. Each instance of personal information should be dealt with, with the highest possible level of protection. Only curating data, which is required.
Adhar Dhaval is experienced portfolio, program and project leader with demonstrated leadership in all phases of sales and service delivery of diverse technology solutions. He is a speaker sharing advice and industry perspective on emerging best practices in project leadership, program management, leadership and strategy. He is working for the Chair Leadership Co.