Integris Data Privacy Dictionary Edition Table of Contents · • Challenge response device, such as an RSA token. • Two-factor authentication, such as a USB key with a PKI certificate,

Integris Data Privacy Dictionary – 1st Edition

© Integris Software 2020. All rights reserved. 1

Table of Contents Introduction - A New Language Has Emerged ..................................................................................................................... 3

The World of Data Privacy in 2020 ....................................................................................................................................... 4

Key Privacy Terms................................................................................................................................................................ 5

AUTHENTICATION ........................................................................................................................................................................................................................................ 5

BIG DATA ........................................................................................................................................................................................................................................................ 6

CCPA .............................................................................................................................................................................................................................................................. 7

CHIEF DATA OFFICER ............................................................................................................................................................................................................................... 8

CHIEF PRIVACY OFFICER ........................................................................................................................................................................................................................ 9

COMPLIANCE ............................................................................................................................................................................................................................................... 10

CONSENT ...................................................................................................................................................................................................................................................... 11

CONSENT MANAGEMENT ....................................................................................................................................................................................................................... 12

COOKIE .......................................................................................................................................................................................................................................................... 13

COPPA ........................................................................................................................................................................................................................................................ 14

CROSS BORDER TRANSFERS .............................................................................................................................................................................................................. 15

DATA ANONYMIZATION............................................................................................................................................................................................................................ 16

DATA CATALOG .......................................................................................................................................................................................................................................... 17

DATA CLASSIFICATION ............................................................................................................................................................................................................................ 19

DATA CONTROLLER.................................................................................................................................................................................................................................. 20

DATA DE-IDENTIFICATION ..................................................................................................................................................................................................................... 21

DATA DISCOVERY AND CLASSIFICATION ......................................................................................................................................................................................... 22

DATA ENCRYPTION ................................................................................................................................................................................................................................... 23

DATA FLOW DIAGRAM ............................................................................................................................................................................................................................. 24

DATA GOVERNANCE ................................................................................................................................................................................................................................ 25

DATA INVENTORY ...................................................................................................................................................................................................................................... 26

DATA LINEAGE ............................................................................................................................................................................................................................................ 27

DATA MAPPING .......................................................................................................................................................................................................................................... 28

DATA MASKING .......................................................................................................................................................................................................................................... 29

DATA MINIMIZATION ................................................................................................................................................................................................................................. 30

DATA NEGLIGENCE................................................................................................................................................................................................................................... 31

DATA OBFUSCATION ................................................................................................................................................................................................................................ 32

DATA PORTABILITY ................................................................................................................................................................................................................................... 33

DATA PRIVACY ........................................................................................................................................................................................................................................... 34

DATA PRIVACY AUTOMATION ............................................................................................................................................................................................................... 35

DATA PRIVACY BEST PRACTICES ...................................................................................................................................................................................................... 36

DATA PRIVACY RISK ................................................................................................................................................................................................................................ 37



DATA PRIVACY SOLUTIONS .................................................................................................................................................................................................................. 38

DATA PROCESSOR ................................................................................................................................................................................................................................... 39

DATA PROTECTION AUTHORITY .......................................................................................................................................................................................................... 40

DATA PROTECTION OFFICER ............................................................................................................................................................................................................... 41

DATA REDACTION ..................................................................................................................................................................................................................................... 42

DATA RETENTION ...................................................................................................................................................................................................................................... 43

DATA STEWARD ......................................................................................................................................................................................................................................... 45

DATA SUBJECT ........................................................................................................................................................................................................................................... 46

DATA SUBJECT AND CONSUMER RIGHTS ....................................................................................................................................................................................... 47

DATA SUBJECT ACCESS REQUEST (DSAR) ................................................................................................................................................................................ 48

FTC ................................................................................................................................................................................................................................................................ 49

GDPR ........................................................................................................................................................................................................................................................... 50

HIPAA ........................................................................................................................................................................................................................................................... 51

LOGS............................................................................................................................................................................................................................................................... 52

NIST PRIVACY FRAMEWORK ............................................................................................................................................................................................................... 53

PERSONAL DATA ....................................................................................................................................................................................................................................... 54

PHISHING ...................................................................................................................................................................................................................................................... 55

PRIVACY BY DESIGN ................................................................................................................................................................................................................................ 56

PRIVACY IMPACT ASSESSMENT .......................................................................................................................................................................................................... 57

PRIVACY SHIELD........................................................................................................................................................................................................................................ 58

PSEUDONYMIZATION ................................................................................................................................................................................................................................ 59

PUBLIC RECORDS ..................................................................................................................................................................................................................................... 60

RIGHT TO BE FORGOTTEN ..................................................................................................................................................................................................................... 61

SPAM ............................................................................................................................................................................................................................................................ 62

TOXIC DATA COMBINATIONS OF DATA ............................................................................................................................................................................................. 63

TRANSPARENCY ......................................................................................................................................................................................................................................... 64

UNAUTHORIZED DATA ACCESS, USE, OR TRANSFER ............................................................................................................................................................... 64

WHALING....................................................................................................................................................................................................................................................... 65

About Integris Software ...................................................................................................................................................... 67



Introduction - A New Language Has Emerged A new language has emerged over the last decade. The language of data privacy. As the tenets of privacy have solidified, so has a common lexicon to help privacy, security, and governance teams communicate more effectively as they collaborate on privacy issues, projects, and compliance efforts.

This Integris Data Privacy Dictionary contains the most prevalent privacy terms that represent common searches, headlines, and global regulations. In this first edition you will find easy-to-understand definitions of the most common privacy words. Provided alongside those words are concept examples, and links to expert resources for further learning.

We hope you find it helpful in understanding the dozens of terms that are used in today’s privacy discussions across the globe. This effort is a living document and we encourage you to propose edits to existing terms or add news ones via our Suggestion Box.

https://integris.io/dictionary-suggestions/



The World of Data Privacy in 2020 Privacy is top of mind for most medium and large businesses across the globe. Companies want their current operations to proceed unfettered in the face of new regulations. The scope of GDPR, CCPA and other privacy laws impact all companies who collect personal information on their customers.

GDPR was enacted in May of 2018 and enforcement is growing steadily. In 2019, approximately 40 enforcement actions occurred from European Supervisory Authorities with fines totaling over 400M euros. Across Asia, regulatory authorities have increased enforcement of privacy violations. And in the US, the FTC has fined several large companies for failing to protect their customers’ personal information.

And the appetite for stealing personal data vis-à-vis data breaches continues to grow. Early estimates for 2019 indicate a record 5,000 plus breaches, with over 7.9B consumer records illegally accessed.

With CCPA live since January 1, 2020, new global regulations, and expected data breaches, 2020 is gearing up to be a monumental year for data privacy challenges, enforcement, and legislation.



Key Privacy Terms

Authentication

Authentication is the process of verifying the identity of a user or validating a connecting device. Passwords, tokens and shared secrets are used to ensure that a user and/or device has the right to access data and resources on a computer system or network.

What are some examples of authentication tools?

• Simple username and password.

• Challenge response device, such as an RSA token.

• Two-factor authentication, such as a USB key with a PKI certificate, a mobile device and a password.

• Biometric, such as a fingerprint scanner.

Who are the key vendors for authentication?

Authentication vendors within the broader category of “Identity and Access Management’ have focused solutions:

• Authentication Solutions: Validate identities for users and consumers. Examples are Callsign, Centrify, Google, Duo

• IDaaS (Identity as a Service): Cloud service for validating identities of users and consumers. Examples are OneLogin, RSA, Okta, and Microsoft

• Privileged Management: Help control and monitor the access of data and resources of privileged users (those with administrative access to systems). Examples are CyberArk, One Identity and Beyond Trust.

• Identity Governance: These solutions help organizations holistically manage the access rights of users across an enterprise. Examples are Sailpoint, SIMEIO and Help Systems.

• Consumer Identity: As the category name indicates, these solutions are focused on providing access rights to consumers accessing their services and products. Examples include LoginRadius, Verato, Akamai, and ID.me.

Here are additional resources to learn more about authentication:

• NIST Privacy Risk Framework

• European Commission, About Authorization and Authentication

https://www.nist.gov/privacy-framework

https://joinup.ec.europa.eu/collection/authorisation-and-authentication/about

https://joinup.ec.europa.eu/collection/authorisation-and-authentication/about



• PC Mag, Two-Factor Authentication: Who Has It and How to Set It Up

Big Data

Big Data’s Purpose and How it Impacts Privacy Management

Big data is a term used to describe large amounts of data -- organized, semi-organized, or unstructured -- that can be mined for data analytics and used in machine learning.

Big data is frequently portrayed by the 3Vs: the extraordinary volume of data, the wide variety of data types and the velocity at which the data must be handled. Those attributes were first distinguished by Gartner analyst Doug Laney in a report distributed in 2001.

More recently, a few different Vs have been added to portrayals of big data, including veracity, value and variability. While big data doesn't compare to a particular volume of data, the term is regularly used to depict terabytes, petabytes and even exabytes of data caught after some time.

Organizations utilize the big data collected in their frameworks to improve operations, provide better customer service, personalize advertising based on explicit customer preferences, and further profitability.

Big data is also used by medical researchers to distinguish disease chance elements. Data coming from electronic health records, social networking, and other data sources can help identify infectious disease threats or outbreaks.

Why is Big Data important to privacy?

• Many organizations have BigData repositories that include personal data; these are subject to privacy regulations.

• Organizations may have many users across many geographies accessing Big Data repositories. Privacy practices, policies, and controls must account for this situation.

• To fulfill data subject rights, such as data access and the right to be forgotten, Big Data repositories must be included in the rights processing.

Here are additional resources to learn more about Big Data:

• NIST, “NIST Big Data Interoperability Framework: Volume 4, Security and Privacy”

• UK ICO, ‘Big data, artificial intelligence, machine learning and data protection’

https://www.pcmag.com/feature/358289/two-factor-authentication-who-has-it-and-how-to-set-it-up

https://bigdatawg.nist.gov/_uploadfiles/NIST.SP.1500-4.pdf

https://ico.org.uk/media/for-organisations/documents/2013559/big-data-ai-ml-and-data-protection.pdf



CCPA

CCPA is the California Legislation that is Defining US Privacy

The California Consumer Privacy Act (CCPA) was the first comprehensive US state privacy legislation that passed in June of 2018, becoming effective January 1, 2020. The Act gives California citizens more control of their personal information and requires organizations to better safeguard information from unauthorized use and access.

The legislation provides citizens the right to know what data companies collect on them, the right to tell companies not to share or sell their personal data and provides sanctions and remedies against organizations that fail to safeguard and use California citizens’ personal information properly.

What are the specific rights granted under CCPA?

1. Citizens can request two times a year what information is being collected on them.

2. Say no to the sale of personal information.

3. The right to sue companies if they do not protect information reasonably (example, the company did not encrypt a citizen’s personal data).

4. The right to have information deleted.

5. The right to non-discrimination against citizens who request that their information not be sold.

6. The right to be informed of what information will be collected before the collection occurs.

7. Sale of children’s information requires a mandatory opt-in.

8. Right to know what data is shared with 3rd parties.

9. Right to know where additional data was acquired.

10. Right to know the purpose for collecting personal data.

How will the CCPA be enforced?

The CCPA has two enforcement provisions. First, the California AG can bring action against companies for violations. Second, consumers can initiate private action in the case of a data breach. CCPA provides guidelines for statutory damages or the consumer may try to prove actual damages.



Here are additional resources to learn more about CCPA:

• Californians for Consumer Privacy, About the Law

• State of California Attorney General, California Consumer Privacy Act (CCPA)

Chief Data Officer

Chief Data Officers Own Data Governance, Management and Analytics

The Chief Data Officer (CDO) role emerged in the early 2000’s. Chief Data Officers drive data strategy and initiatives for companies including data governance, data management, data quality, and data-driven innovation. They ensure the organization collects and processes the required information for optimal performance, implement and support data governance and compliance programs, and leverage analytics to deliver new or improved products and services to customers. Chief Data Officers may report to the CEO, CIO or CTO and their staff may include data architects, data scientists, data governance, and data management professionals. CDOs work closely with Chief Privacy Officers to ensure data-driven initiatives do not increase the privacy risk of the organization, and that the privacy policies and practices are followed.

What are some of the key responsibilities of the CDO?

• Lead the data governance council to drive the organization’s goals, strategies and objectives for data utilization and innovation.

• Creation of a data-driven innovation roadmap.

• Oversee the data governance program which encompasses the obligations of data privacy and compliance.

• Drive the continuous improvement of data quality to provide better customer interactions and provide a solid foundation for master data management.

• Provide the necessary data for the company to offer new services and products, improve operations and make optimal business decisions.

• Establish best practices for data management programs.

• Leverage data analytics to improve customer retention and satisfaction.

Here are additional resources to learn more about CDOs:

• Gartner, article on CDO prioritization survey

• CIO Magazine, “What is a chief data officer?”

https://www.caprivacy.org/about

https://oag.ca.gov/privacy/ccpa

https://www.gartner.com/en/newsroom/press-releases/2019-06-10-gartner-survey-finds-chief-data-officers-are-prioriti

https://www.gartner.com/en/newsroom/press-releases/2019-06-10-gartner-survey-finds-chief-data-officers-are-prioriti

https://www.cio.com/article/3234884/what-is-a-chief-data-officer.html



• MIT, CDOIQ Symposium

Chief Privacy Officer

The Chief Privacy Officer drives policies, processes, and controls that enable organizations to collect and utilize personal information in an ethical and compliant manner. They are responsible for managing privacy risks in accordance with privacy laws and regulations. The role emerged in the late 1990’s with growing consumer and corporate concern of how personal data was being collected, used, and protected.

Typically, Chief Privacy Officers have a legal background and have excellent conceptual understanding of information technology. They represent their company in privacy advocacy both internally and externally. Chief Privacy Officers may report to the CEO, CIO or CLO.

The Data Protection Officer (DPO) is a closely related role to the CPO. The DPO is a mandated role in GDPR who works with the local Data Protection Authority (DPA) to ensure compliance with the regulation. Very few companies have combined the roles as the CPO is seen as an advocate for the company while the DPO is and advocate for the DPA.

What are the key responsibilities of a Chief Privacy Officer?

• Team with EU DPOs for GDPR compliance.

• Develop policies, practices, and procedures for privacy compliance.

• Conduct privacy impact assessments.

• Monitor and remediate privacy risks.

• Ensure proper consent management and data subject access request processes.

• Team with CISOs on breach response notifications.

• Represent their company to regulatory agencies.

Here are additional resources to learn more about Chief Privacy Officers:

• SpencerStuart, “Beyond Data Protection: The Rising Role of the Chief Privacy Officer”

• CIO, “5 reasons you need to hire a chief privacy officer (CPO)”

• IAPP, multiple resources

https://mitcdoiq.org/

https://www.spencerstuart.com/leadership-matters/2019/june/beyond-data-protection-the-rising-role-of-the-chief-privacy-officer

https://www.spencerstuart.com/leadership-matters/2019/june/beyond-data-protection-the-rising-role-of-the-chief-privacy-officer

https://www.cio.com/article/3027929/5-reasons-you-need-to-hire-a-chief-privacy-officer-cpo.html

https://iapp.org/

https://iapp.org/



Compliance

Privacy compliance means being able to provide attestation and demonstrate policies and controls on-demand to auditors

In the GDPR legislation text, the term compliance appears 36 times but does not provide a definition of the term. For privacy, compliance means meeting the rules, regulations, requirements, requests, guidelines and laws related to how companies collect, process, manage, and share personal information. Organizations have various policies that dictate these requirements, which reflect their regulatory landscape and ethical guidelines. Compliance readiness is the current state of a company in meeting the policies and guidelines of the organization.

What are some typical privacy compliance concerns?

• Do we know where all our personal and sensitive data resides?

• Do we have clear consent guidelines and obvious and simple customer controls?

• Do we have the processes in place to process and respond to DSARs?

• Are our customers’ data adequately protected?

• Do we have strict policies on how customer data can be used and shared?

• Can we provide attestation and demonstrate our policies and controls on-demand to auditors?

• Are our employees continuously trained on their responsibilities in the handling of customer data?

• Are our employees continuously trained on how to avoid the unintentional use, transfer or exposure of customer data?

How do companies track or measure their compliance readiness?

• Ensure the companies has a continuous data inventory of personal data and monitor risk.

• Establish and monitor processes for obtaining consent.

• Monitor DSAR requests for completeness and timeliness of response.

• Conduct internal audits of practices, policies and controls.

• Implement a recurring employee training program on privacy responsibilities.

• Ensure that security practices, controls and preventions are regularly tested for effectiveness.



Here are additional resources to learn more about compliance:

• European Commission, various articles

• IAPP, various articles

Consent

Individuals may provide consent to a company on how it can use or process their personal information

In the context of data privacy, consent defines the clear and explicit permission obtained by a company to process or use an individual's personal information. When an individual provides consent, they should clearly understand why and how a company will use their personal information. Consent must be explicit, in that the company provides clear and unambiguous consent agreements and clear ways for individuals to withdrawal consent.

The GDPR provides a clear definition of consent with: “‘consent’ of the data subject means any freely given, specific, informed and unambiguous indication of the data subject's wishes by which he or she, by a statement or by a clear affirmative action, signifies agreement to the processing of personal data relating to him or her”.

What are the Key Considerations for Consent?

• Organizations need to clearly ask for and define what individual’s consent allows. Organizations should not use pre-checked boxes and should provide consent options for all uses of their information. In addition, they need to provide simple options for individuals to withdraw their consent.

• Organizations need to specifically record how and when consent was gained and what information was presented to the individual.

• Organizations need to actively manage consents and process consent updates as rapidly as possible. They should not reduce service for individuals who have reduced or withdrawn consent.

What are some examples of how consent is obtained/withdrawn?

• Very conspicuous opt-out links in emails.

• Obvious notices on web pages to accept cookies.

• Selection boxes that must be checked registration forms to allow further communications.

https://ec.europa.eu/search/?QueryText=compliance&op=Search&swlang=en&form_build_id=form-UA6cEKws0IXsyGntUSy02PAW7YBPYF5aBd9lsUHI0lQ&form_id=nexteuropa_europa_search_search_form

https://iapp.org/search/#!?q=compliance

https://iapp.org/search/#!?q=compliance



Here are additional resources to learn more about Consent:

• European Commission, “How should my consent be requested?”

• UK Information Commissioner’s Office, Consent

Consent Management

Consent Management Gives Consumers Control of Their Data

The process of obtaining and responding to customer requests on the use of their personal and sensitive data is consent management. Most privacy regulations provide rights for consumers and customers to control the use of their data via the consent the customer grants a company or organization. Companies must gain consent from customers (either explicit or implicit) and respond to customer requests to remove or change their consents.

Organizations should provide clear and obvious tools or methods for customers to change consent. This could be a privacy or consent button on forms, settings in applications, or consent control options in customer communications and offers.

What are some examples of what a company needs to control for effective consent management?

• How personal data is being used.

• If personal data will be shared with partners.

• If personal data and preferences will be used to provide additional offers to customers.

• If personal data will be shared for research or analytical purposes.

How do organizations obtain consent choices?

• Written contract.

• Check boxes in web forms.

• Setting in an application.

• Response to an email.

• Verbal responses to oral questions.

What are the key requirements for consent management?

• Automated web notices to obtain consent.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-should-my-consent-be-requested_en

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/how-my-personal-data-protected/how-should-my-consent-be-requested_en

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/lawful-basis-for-processing/consent/



• Database to store customer consent choices.

• Workflows for customer communication applications and ad partners to add/or withdraw consent.

• Reports and audit capabilities to review overall consent statistics and an individual’s consent preferences and history.

Here are additional resources to learn more about consent management:

• Wikipedia,

• IAPP Glossary of Privacy Terms, Consent

• UK Information Commissioner’s Office, How to obtain, record and manage consent?

• CMSWire, What is a consent management system

Cookie

Cookies are a Key Component of Privacy for Consent Management

According to the IAPP, a cookie is “a small text file stored on a client machine that may later be retrieved by a web server from the machine.” They are stored in your internet browser. Essentially, cookies are packets of information or data that are sent by websites to your computer and then sent back to the site without any alteration. Users may block or delete cookies, as well as operate in privacy mode (no cookies on browsing history).

What do Cookies do?

As Norton explains, cookies help websites keep track of your activity and visits. Some common uses for cookies include storing login information for websites (i.e. saving your password and/or username on various websites) and keeping track of items in a user’s shopping cart. Or, a news site may utilize a cookie to save a custom text size you’ve chosen for viewing news articles.

GDPR, CCPA and Cookies

Companies that use cookies to recognize devices and/or individuals are treated as personal information under GDPR. This means that if cookies can identify an individual, it is considered personal data and comes under the purview of GDPR. In order to be compliant with the regulation, organizations cannot use cookies that identify people.

For CCPA, if cookies have any information that can identify a person or household, then that cookie is considered personal information and must be treated accordingly. In addition, best

https://en.wikipedia.org/wiki/Consent_management

https://iapp.org/resources/glossary/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/consent/how-should-we-obtain-record-and-manage-consent/

https://www.cmswire.com/information-management/what-is-a-consent-management-platform/

https://iapp.org/resources/glossary/#caching

https://iapp.org/resources/glossary/#caching

https://us.norton.com/internetsecurity-how-to-what-are-cookies.html




practices for CCPA dictate that organizations clearly state the purpose of their cookies in their website privacy notice.

What are some examples of information stored in cookies?

• Browsing history

• Login information

• Shopping cart data

• Information entered into forms

Here are additional resources to learn about cookies:

• Norton (Symantec)

• UK Information Commissioner's Office

COPPA

COPPA Protects the Online Privacy of Children Under the Age of 13

COPPA stands for the Children's Online Privacy Protection Rule of 1998 (USC 15 USC 6501). This US regulation provides for the privacy protection of children under age 13. Specifically, website operators, online services and mobile applications must obtain parental permission to obtain any personal information on the child. And the operator must state their privacy policy for obtaining parental consent and how they protect children's information.

The FTC provides the following overview of COPPA: “The primary goal of COPPA is to place parents in control over what information is collected from their young children online. The Rule was designed to protect children under age 13 while accounting for the dynamic nature of the Internet. The Rule applies to operators of commercial websites and online services (including mobile apps) directed to children under 13 that collect, use, or disclose personal information from children, and operators of general audience websites or online services with actual knowledge that they are collecting, using, or disclosing personal information from children under 13. The Rule also applies to websites or online services that have actual knowledge that they are collecting personal information directly from users of another website or online service directed to children.”

What are the key requirements of COPPA?

• Have parental consent for obtaining personal information of children under age 13.

• Post the privacy policy that details how consent is obtained and how information is protected.


https://ico.org.uk/your-data-matters/online/cookies/



• Provide parents with information on how their children’s information will be used and how to access the collected information.

• Only retain the child’s information as reasonably needed.

How does COPPA define personal information of children under 13?

• Name

• Address

• Videos, pictures or audio

• SSN

• Data elements that can be recombined to identify a child (age, sex, zip code)

• User names, unique identifiers, and location data

Here are additional resources to learn more about COPPA:

• Federal Trade Commission, Children’s Online Privacy Protection Act (“COPPA”)

• Electronic Privacy Information Center, Children’s Online Privacy Protection Act (COPPA)

• vidIQ, “COPPA and YouTube: 11 Things Creators Need to Know Right Now”

Cross Border Transfers

Cross Border Transfers are Controlled by Regulatory Requirements

A cross border transfer describes the transmission of personal data from one country (jurisdiction) to another. Most privacy legislation provides regulations and guidelines for transferring information across borders. GDPR uses binding corporate rules to define how data can be transferred. These rules regulate how to transfer data within a company and/or with EU and EEA companies that have agreed to these rules. The EU member states are Austria, Belgium, Bulgaria, Croatia, Cyprus, Czech Republic, Denmark, Estonia, Finland, France, Germany, Greece, Hungary, Ireland, Italy, Latvia, Lithuania, Luxembourg, Malta, Netherlands, Poland, Portugal, Romania, Slovakia, Slovenia, Spain, Sweden and the United Kingdom. The EEA states are Iceland, Norway and Liechtenstein.

For transfers from EU businesses to companies in the United States, the rules of Privacy Shield regulate cross border transfers. In contrast, the CCPA does not specifically address cross border transfers. The Privacy Shield provides organizations the requirements and obligations for United

https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule

https://epic.org/privacy/kids/

https://vidiq.com/blog/post/coppa-kids-content-youtube/



States companies to transfer data to and from European Union states. US companies self-certify following the guidelines from the US Department of Commerce and commit to following privacy and protection principles.

What would be considered a cross border transfer?

• Data specifically moved from one country to another.

• Data that crosses boundaries during processing.

• If the processing of data could affect a data subject in another territory.

Here are additional resources to learn more about cross border transfers:

• IAPP, Glossary of Terms, cross border transfers

• European Commissioner, cross border transfers

• UK Information Commissioner’s Office, cross border transfers

• Wikipedia, cross border transfers

Data Anonymization

Data Anonymization’s Critical Role in Protecting Data Privacy

Data anonymization utilizes various techniques to remove identity and sensitive data from electronic records that can identify a specific individual. This identity data is referred to as personally identifiable information (PII) and includes name, email, phone, address or other information that relates to a specific person. Sensitive data typically relates to the financial, health, political or religious beliefs of an individual. PII and sensitive data can be anonymized by removal, redaction, substitution, or randomization:

1. Removal: PII or sensitive data fields are simply removed. This technique has limited use as many applications and reports will experience errors if data fields are missing.

2. Redaction: Data is blurred or covered so that the original values can’t be viewed. This technique is useful for reports or application screens where PII and sensitive data is obfuscated for unauthorized users.

3. Substitution: PII or sensitive data is substituted with similar but unrelated data. Data substitutions typically fall within specific ranges to provide realistic but anonymized data sets. This method is used frequently for anonymizing application test data.


https://ec.europa.eu/search/?queryText=cross+border+transfer&query_source=europa_default&filterSource=europa_default&swlang=en&more_options_language=en&more_options_f_formats=&more_options_date=

https://icosearch.ico.org.uk/s/search.html?collection=ico-meta&query=cross+border+transfer&profile=_default

https://en.wikipedia.org/wiki/Privacy_law



4. Randomization: PII or sensitive data is simply randomized. This approach supports instances where the value of the randomized data affects the use of the remaining data in an electronic record. An example is a report that details purchases by zip code. Randomizing the customer identities would not impact the analysis, as the information needed is what products are being purchased in which local markets.

Data anonymization provides privacy control for business processes such as training, software development, or customer service by eliminating the unauthorized viewing of personal information. An example would be application testers who need production data to ensure the optimal testing of new applications or features. By utilizing production data that is anonymized, testers cannot see PII and sensitive information, but they can test their new software with the best data sets available (production data).

What tools and techniques are used for data anonymization?

1. Data masking software: Data masking allows the organization to mask data in two ways. First, dynamic masking will mask data based on a user’s role. For example, a staff member in finance may be able to see sensitive data while a customer service representative may not. Second, persistent data masking will mask copies of production data. These copies are used for software testing, analytics, and training.

2. Format preserving encryption (FPE): FPE will use encryption to randomize data that fits the format of the original data. An example would be a zip code of 92694, using encryption FPE would turn this value into 33333; the person’s location is kept confidential and reports or analytics would operate normally as they do not error out because the data field is null. Only authorized users will have the ability to decrypt the anonymized fields.

3. Data transformation solutions: Data transformation tools allow organizations to migrate and reformat data from one platform (such as Oracle) to a new target platform (such as Microsoft Sequel Server). Data can be masked as part of the transformation process.

Here are additional resources to learn more about data anonymization:

• T “De-Identification of Personal”

• European Commission, recommendations on data anonymization

Data Catalog

Data catalogs help organizations govern and manage their critical data assets. Data catalogs locate, analyze, and create navigable intelligence on data identities, such as customer or product records. Organizations can understand how, where, and why data is used across their organizations. Data catalogs create rich sets of metadata on data entities to describe the data’s characteristics and utilization.

https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf

https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf



How are data catalogs used?

• Identifying data sets for consolidation via master data management such as customer, partner, employee, product, or service information records stored on various systems.

• Create a central record of all data assets for data governance programs.

• Exploration of data by data scientists and analysts for analytic projects.

• Provide insight to data management teams for data integration, consolidation, and migration projects.

• Help IT teams understand the issues, challenges and support needed to migrate LoB and mission critical applications to SaaS/cloud.

• Support internal and external audits related to privacy, security, and financial reporting.

What are the key functions of a data catalog?

• Connect and discover data from various sources.

• A business glossary defining data types.

• Lineage information to understand the data’s provenance.

• Collaboration/team features.

• Exploration function of data from source to target.

• Analysis and monitoring of adherence to data governance.

• Google like search capabilities of data assets.

• Data context reporting.

• Data protection/masking based on role-based access.

How is a data catalog important to privacy?

• Provides organizations with intelligence of what data should be monitored for privacy risk, usage, and protection.

• Deep analysis of personal and sensitive data.

Here are additional resources to learn more about Data Catalogs:

• Datanami, “Enterprise-Wide Data Governance through Governed Global Catalogs

• Dataversity, “ The Data Catalog Drives Digital Transformation – Artificial Intelligence Drives the Catalog”

https://www.datanami.com/2019/10/22/enterprise-wide-data-governance-through-governed-global-catalogs/

https://www.dataversity.net/data-catalog-drives-digital-transformation-artificial-intelligence-drives-catalog/

https://www.dataversity.net/data-catalog-drives-digital-transformation-artificial-intelligence-drives-catalog/



Data Classification

Data Classification Identifies Personal and Sensitive Data for Privacy

Data classification is the process of sorting and labeling data for purposes of data privacy and data management. The data classification process provides intelligence on data location, sensitivity, geography, or other characteristics. With this intelligence, organizations can better manage and secure data to meet privacy, governance, business, and security objectives. Data can be classified across multiple variables. For example, a piece of data could be classified as company confidential, high business value, and medium-term retention; the data classifications providing value to the organization's utilization, management, and governance of that data.

How do companies implement data classification?

• Via policies -- the organization specifies the use and restrictions of data by policy.

• Through automation -- data privacy automation software will discover and analyze data sets to determine the appropriate classification based on multiple variables and rules. AI and ML capabilities can enhance discovery, enabling the detection of potentially unknown personal and sensitive data that organizations have not officially defined or cataloged.

• User driven -- where data owners help define data classification directly and/or verify the results from automated solutions.

How is data classification used within the context of data privacy?

1. Determine what regulations apply to which data.

2. Determine the sensitivity of the data for the purpose of being precise in the application of data and cybersecurity controls.

3. Identify elements of personal data needed to support data subject rights and consent requests.

4. Support internal and external audits of personal information.

5. Multi-label classification allows organizations to pinpoint data sets where several data elements could be combined to allow identification of anonymized data. This is referred to as toxic combinations of data.

Here are additional resources to learn more about data classification:

• SecurityIntelligence, “You Don’t Know What You Don’t Know: 5 Best Practices for Data Discovery and Classification”

• Carnegie Mellon Institute, “Guidelines for Data Classification”

https://securityintelligence.com/posts/you-dont-know-what-you-dont-know-5-best-practices-for-data-discovery-and-classification/

https://securityintelligence.com/posts/you-dont-know-what-you-dont-know-5-best-practices-for-data-discovery-and-classification/

https://www.cmu.edu/iso/governance/guidelines/data-classification.html



Data Controller

Data controllers process personal information and are responsible for data privacy.

Data controllers determine how and why information is processed. Simply put, if an organization determines and controls the processing of information, it is a data controller who is responsible for privacy.

The term has its foundation in the UK Data Protection Act of 1998. GDPR specifically defines the term in Article 4: Data Controller: “'controller' means the natural or legal person, public authority, agency or other body which alone or jointly with others, determines the purposes and means of the processing of personal data; where the purposes and means of such processing are determined by Union or Member State law, the controller or the specific criteria for its nomination may be provided for by Union or Member State law.”

What are the general responsibilities of the data controller?

Data controllers bear the primary responsibility for data subject rights and for data protection as specified by GDPR, regardless if the processing is done by the controller themselves or contracted out to a data processor.

• First, data controllers must determine if processing a data set serves a legitimate process consented by the data subject.

• Second, the data controller must ensure that the processing of data is accomplished with data protection and privacy principles.

• Third, the data processor must show that special care is given to the processing of specific types of sensitive data including political, religious, sexual preference, race, or criminal history.

Here are additional resources to learn more about the definition, roles and responsibilities of data controllers include:

• European Commission, “What is a data controller or a data processor?”

• Information Technology Law, Duties of Data Controllers

• GDPR EU.Org, Controller vs. Processor

http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

http://www.legislation.gov.uk/ukpga/2018/12/contents/enacted

https://eur-lex.europa.eu/eli/reg/2016/679/oj

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rules-business-and-organisations/obligations/controller-processor/what-data-controller-or-data-processor_en


http://ictlaw.com/data-protection/duties-of-data-controllers/

http://ictlaw.com/data-protection/duties-of-data-controllers/

https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/

https://www.gdpreu.org/the-regulation/key-concepts/data-controllers-and-processors/



Data De-Identification

Organizations Need to De-Identify Personal and Sensitive Data for Privacy Compliance

Data de-identification obscures, hides, or changes personal data to conceal the identity of a person. Various technologies can de-identify data, including masking, encryption, and obfuscation tools. For analytics and reporting, business leaders and analysts do not need identity data to understand purchasing trends, regional buying preferences, or service-related data. In these cases, de-identifying personal data or data that might infer someone’s identity protects privacy and does not impact business operations.

Data de-identification is closely related to data anonymization, but the focus is on anonymizing data that can specifically identify an individual. Data anonymization utilizes various techniques to remove identity from electronic records that can identify a specific individual. This identity data is referred to as personally identifiable information (PII) and includes name, email, phone, address or other information that relates to a specific person.

Anonymization and pseudonymization describe de-identifying data for specific outcomes; the goal of anonymization is that data is not re-identifiable. However, in pseudonymization, data can be re-identified for legal or medical purposes (only by those who hold the re-identification keys).

What regulations specify data de-identification?

• GDPR

• CCPA

• HIPAA

• Safe Harbor

How do organizations de-identify data?

Typically, organizations use some form of data masking to de-identify data. Data masking is accomplished by:

• Custom scripts: programmers write scripts to modify data fields related to personal or sensitive data.

• Packaged software: these data masking software packages provide templates around various data domains, and support cloud, hadoop, relational, mainframe, and file systems.

• Data management software: some data integration and data management software have the ability to transform or anonymize personal or sensitive data fields.



Here are additional resources to learn more about data de-identification:

• Information Commissioner’s Office, Data de-identification

• NIST, “De-Identification of Personal Information”

Data Discovery and Classification

Data discovery and classification helps locate and define personal data

Data discovery and classification are foundational to data privacy, governance, and protection. Enterprise data discovery scans data storage systems such as cloud, Big Data, relational, file, and mainframe to determine where personal and sensitive data is located. Classification evaluates the data and classifies it by type; for instance, health data, personal data, financial data, etc. DPIAs, DSARs and the implementation of safeguards and controls for personal information need this intelligence to accurately manage tasks and risk.

How is data discovery and classification accomplished?

Tools are available that provide discovery and classification to some degree. But these tools are for specific domain applications and do not scale or provide capabilities for identity and risk. New purpose-built tools for enterprise privacy and security have emerged over the last few years. For example, ML-driven data discovery and classification to discover data across all platforms and data types. In summary, data discovery and classification is accomplished by:

• Manual efforts via surveys and interviews which feed:

• Data architecture diagrams and solutions.

• Data catalogs.

• Domain specific discovery solutions, such as file analysis or privacy tools that provide simple search tools.

• Automated and ML-driven data discovery and classification solutions such as Integris Software that provide enterprise scale discovery and classification.

Here are additional resources to learn more about data discovery and classification:

• Security Intelligence, “Data Discovery and Classification Are Complicated, But Critical to Your Data Protection Program”

• Dataversity, “So, what is data mapping and why is it the key to GDPR compliance?”

• UK Information Commissioner’s Office, “How do we document our processing activities?”

https://ec.europa.eu/search/?QueryText=de-identification&op=Search&swlang=en&form_build_id=form-rnybnNOxGC0lxeM_CGRzl018wVe_t6hfg8nzfJk9wm0&form_id=nexteurop


https://integris.io/

https://securityintelligence.com/posts/data-discovery-and-classification-are-complicated-but-critical-to-your-data-protection-program/



https://www.dataversity.net/data-mapping-key-gdpr-compliance/


https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/documentation/how-do-we-document-our-processing-activities/




Data Encryption

Data Encryption Secures Personal and Sensitive Data for for Better Data Privacy and Security

Data encryption uses mathematical manipulation of information to prevent the original information from being viewed or altered. Data encryption uses an algorithm and a key to transform plaintext data into an unreadable and unrecognizable form; personal or sensitive information can’t be derived from encrypted data. Data decryption uses the same mathematical algorithm and key to reverse the encryption process and return the data to its original form.

Encryption provides a critical control for privacy by ensuring that data stored in the cloud, a file server, in a traditional database, or that’s in the process of being transmitted between the two, can’t be viewed without authorization.

Where is encryption used?

GDPR and several other regulations mention encryption requirements as a way to mitigate risk. Data encryption has two primary applications. First, it provides privacy and security for stored data; virtually all devices and platforms support some level of encryption. From cloud, to database servers, to laptops and mobile phones, data encryption can be utilized to protect data from unauthorized access. Second, data encryption secures data transfers across the internet, on corporate networks, or even in private residential networks. Before sending data, devices will encrypt information so that data can’t be viewed by eavesdroppers or unintended recipients.

What are common data encryption terms?

1. Algorithm: Provides precise instructions for software programs to transform data for tasks such as encryption, decryption, compression, and hashing. AES, Triple DES, RSA, and Blowfish are well known algorithms.

2. Encryption Key: Typically, a secret value of numbers and letters, the encryption key and the algorithm produce a unique data set when used together. This pairing ensures that each user can produce encrypted data that they can then decrypt with their algorithm and key pair. Key length determines the key’s strength and one of the most common algorithms, AES, typically has a key length of 256 bits.

Here are additional resources to learn more about data encryption:

• HashedOut “10 Data Privacy and Encryption Laws Every Business Needs to Know”

• NIST, Cryptography

https://www.thesslstore.com/blog/10-data-privacy-and-encryption-laws-every-business-needs-to-know/#1-california-consumer-privacy-act-of-2018-%E2%80%94-united-states

https://www.thesslstore.com/blog/10-data-privacy-and-encryption-laws-every-business-needs-to-know/#1-california-consumer-privacy-act-of-2018-%E2%80%94-united-states

https://www.nist.gov/topics/cryptography

https://www.nist.gov/topics/cryptography



Data Flow Diagram

Data Flow Diagrams Visualize How Data Flows across systems and Business Processes

A data flow diagram (DFD) visualizes the flow of data through company systems or business processes. They provide simplified views of how companies produce and consume data in their organizations. The data flow diagram is a primary tool for understanding data lineage. This provides intelligence on how data touches various applications, users, and systems to help assess privacy risk and can provide insight into the company's data protection impact assessment (DPIA).

DFDs have two forms -- logical and physical. Logical diagrams show how information moves through a system, the source, the destination, how it is processed, and where the information goes.

Physical diagrams reveal the actual components that data touches for a process, including the software, hardware, and people that are part of the data flow.

What is the Structure of a DFD?

A DFD has a typical pattern, which includes:

• Activity - what is the company trying to achieve

• Inputs - what data will be used and where it comes from

• Outputs - what data will be produced, where will it be stored and how will it be accessed

How are DFDs Used?

While the definition clearly defines what information a DFD visualizes (the flow of data through systems and business processes), there are several contexts for their use:

• Documenting the overall enterprise architecture of a company.

• Business process analysis, for designing, or reengineering business processes.

• Privacy, DPIAs; for understanding the flows and uses of personal information in a company.

Here are additional resources to learn more about data DFDs:

• Hubspot, “Beginners Guide to Data Flow Diagrams”

• DataVersity, “Demystifying Data Architecture”

• European Commission, Guidance Document for Emission Monitoring

https://blog.hubspot.com/marketing/data-flow-diagram

https://www.dataversity.net/demystifying-data-architecture/

https://ec.europa.eu/clima/sites/clima/files/ets/monitoring/docs/gd6_dataflow_en.pdf



Data Governance

Data Governance Defines How Organizations Leverage and Manage Data

Data Governance traditionally spans the practices of data quality, data management, data stewardship, and data ownership. With the growing focus on data use, governance may include compliance to data-centric regulations such as BCBS 239, and support for privacy compliance for GDPR and CCPA. In the context of data privacy, governance would include the management of cross border transfers.

With the recent ascent of the Chief Data Officer and the growing utilization of enterprise data, the focus on data governance has increased dramatically. Many organizations have embarked on creating catalogs of critical and personal data to help glean insights on opportunities for innovation and for assessing compliance readiness for privacy.

How are the goals and strategies of data governance determined?

Data governance councils set strategy, direction, and goals for the organization’s data utilization and management. This may be led by a CIO or CDO with participation by LoB leaders, data owners, data stewards, and IT executives responsible for data-centric technologies.

What are the functions of data governance?

• Data quality: ensuring data records are complete and accurate.

• Data management: managing the lifecycle of data and migrating and integrating data for new services and applications.

• Data cataloging: inventorying data assets across the enterprise to enable analytics, quality, and transformation.

• Data mastering: consolidating records of customers, products, or services that have multiple instances across enterprise applications (e.g. creating a master record for customers and/or products).

• Data security: data is protected from unauthorized access, use, and transfer.

Here are additional resources to learn more about data governance:

• National Center for Education Statistics, “Data Governance Checklist”

• Forbes, “What Mistakes Do Businesses Often Make When It Comes To Data Governance?”

• Gartner, “CISOs Must Master Data Governance for GDPR Compliance”

https://nces.ed.gov/Forum/pdf/data_governance_checklist.pdf

https://www.forbes.com/sites/quora/2019/10/29/what-mistakes-do-businesses-often-make-when-it-comes-to-data-governance/#614323d55c00

https://www.gartner.com/smarterwithgartner/cisos-must-master-data-governance-for-gdpr-compliance/



Data Inventory

Data inventory tells you what type of data you have and where it’s located

Data inventory provides detailed information on a company’s data assets. This information includes the metadata that defines the individual data records and what they contain, who and how the data is accessed, who owns and manages the data, where the data is stored, and how it is accessed. Data inventory should include all the metadata defining the data assets, and can also include a record of all data elements via deep data discovery and classification.

Most organizations do not embark on discovering all their assets simultaneously. Data inventories are typically segmented and driven by corporate initiatives such as privacy, governance, data management, or analytics. Most organizations prioritize creating a personal data inventory for their organization to help them understand, remediate, and manage privacy risks and readiness.

How do you create a data inventory?

• Data resources are identified, which can include databases, file servers, cloud instances, big data servers, SaaS applications, and more.

• A data inventory tool is deployed to do discovery and classification to identify critical data assets. Some organizations use surveys, custom scripts, and domain specific discovery tools. Enterprise grade discovery tools are emerging to automate the process (Integris Software is one example of such a tool).

• Metadata and data elements are analyzed to create intelligence for views and reports that defines the organization's data location, use, owners, and risk.

Why do companies need to create a data inventory?

• To understand key data assets used for business processes and operations.

• To discover and map personal data to ensure the appropriate use, access, and transfer of regulated personal information.

• To expose data assets for data management activities such as master data management, data quality, and data migration.

Here are additional resources to learn more about data inventory:

• John Hopkins GovEx Labs, “Data Inventory Guide”

• ResearchGate.net, “How to create a data inventory”

https://labs.centerforgov.org/data-governance/data-inventory/

https://www.researchgate.net/publication/327631764_How_to_create_a_data_inventory



Data Lineage

Data Lineage Provides Intelligence on Data Quality and Provenance

While data flow diagrams depict how information flows through a company, data lineage provides additional intelligence on data such as integrations, quality, and processing. This creates a complete lifecycle image of data, where it began and how it transformed into its final form. Data lineage can help organizations with compliance readiness by providing insight into the processes where personal data is used and transformed.

Data lineage is different from data inventory in that lineage focuses on the descriptive information called metadata. Lineage is more concerned with the data lifecycle in how the data is used and transforms through the organization. Data inventory focuses on the state of data at various locations and the statistical aspects of the data (such as risk and classification).

What is Data Lineage Used For?

• Baseline data lifecycles, how data originates, where it travels, and how it is combined and consumed.

• Analyze data quality to identify opportunities to improve processes and applications for data accuracy and completeness.

• For data governance and compliance; organizations can leverage lineage to understand the business processes that consume critical data assets and/or personal information.

• For business impact assessment; knowing what will be impacted if data content or structure is changed.

What Tools Can Create Data Lineage Reports and Visualizations?

• Metadata management tools.

• Data architecture solutions.

• Data catalogs.

• Manual processes via surveys and direct data source research and queries.

Data lineage is enriched by having complete and accurate data inventory. Data discovery and classification solutions can provide a foundation to create data lineage, helping populate data catalogs and other tools.

Here are additional resources to learn more about data lineage:

• DataVersity, “What is Data Lineage?”

• DataVersity, “Data Lineage Demystified”



https://www.dataversity.net/data-lineage-demystified/



Data Mapping

Data Mapping Locates and Analyzes Data for Governance and Compliance

Data mapping is closely related to data inventory by helping organizations understand where data is located and its purpose (classification). For the purposes of this definition, data inventory is different than data mapping in that it provides further intelligence on risk, protection, and compliance.

Data mapping involves discovering, classifying, and understanding personal or sensitive data for privacy compliance. Companies need to identify all data sources for personal information, discover what personal information resides on these sources, and analyze how the data flows to and from the sources. Data mapping lays the foundation for recording processing activities and for data protection impact assessments. With the addition of information such as protection and user access, organizations can also determine the risk of personal data for privacy compliance. This enables them to take remediation actions such as masking, encryption, deletion, or strengthening of access controls.

What questions can data mapping answer?

• Where is personal data located? Understand the physical location and technology platform (i.e., Hadoop, SQL Server, file server).

• How should the data be classified? (Public, Private, Confidential)

• Where does the data flow to and from?

• What applications use the data?

What tools are used for data mapping?

Many tools are available that provide discovery and classification. But many of these tools were not designed for privacy; they lack capabilities for correlating identities across sensitive data and do not provide the intelligence needed for compliance readiness. However, new purpose-built tools for privacy have emerged over the last few years. For example, Integris Software provides data discovery and classification, subject registry, lineage, and risk reduction of personal data. These capabilities provide privacy professionals the intelligence they need to understand the personal data landscape, its risk and undertake the most effective remediation.

Here are additional resources to learn more about data mapping:

• Wikipedia

• Technopedia

• Dataversity, “So, what is data mapping and why is it the key to GDPR compliance?”

https://integris.io/

https://en.wikipedia.org/wiki/Data_mapping

https://www.techopedia.com/definition/6750/data-mapping




• UK Information Commissioner’s Office, “How do we document our processing activities?”

Data Masking

Data Masking is the Primary Tool for Data Anonymization in Privacy

Data masking changes personal or sensitive data into random values to anonymize, de-identify, and or desensitize data. This protects personal, health, or financial data from unauthorized viewing and access. Masking supports privacy and security policies, and limits access and viewing of private data to authorized users with a valid business purpose. Masking data provides enough original data as needed by the user to accomplish their business needs. For example, a customer service representative doesn’t need to see the credit profile of a customer, but an accounts payable representative does need to see credit data to do their job.

How can organizations implement data masking?

• Custom scripts: programmers write custom scripts to modify data fields related to personal or sensitive data.

• Packaged software: these data masking software tools and solutions provide templates for typical masking tasks (such as credit cards, SSN, phone) and support data sources typically found across enterprise including cloud, hadoop, relational, mainframe, and file systems.

• Data management software: some data integration and data management software have the ability to transform or anonymize personal or sensitive data fields.

Which departments or business functions are most likely to use data masking?

• Operations: for customer service representatives who only need partial sets of personal information to do their job.

• DevOps: data masking can anonymize data sets for application testers to ensure that no private data is shared with internal or external testing or quality assurance teams.

• Analytics: personal data with no relevant or authorized analytics purpose can be masked to limit privacy and security risks.

Here are additional resources to learn more about data masking:

• SearchSecurity, data masking

• Information Management, “Best practices for data masking to boost security, privacy and compliance”


https://searchsecurity.techtarget.com/definition/data-masking

https://www.information-management.com/opinion/best-practices-for-data-masking-to-boost-security-privacy-and-compliance

https://www.information-management.com/opinion/best-practices-for-data-masking-to-boost-security-privacy-and-compliance



Data Minimization

Data Minimization Means Collect and Retain the Minimum Data Possible

Data minimization posits that organizations should only collect the minimum amount of data necessary to accomplish their business purposes. Further, that data should be retained only as long as necessary or required by laws or regulations. From a privacy perspective, organizations must carefully analyze what personal data is collected on their customers, partners, and employees. If the specific personal data does not have demonstrable business use, then the data should not be collected, and any collected data should be deleted.

Data minimization is instantiated in GDPR Articles 5, 25, 47 and 89. The CCPA includes the concepts of collection limitation and data minimization, while data minimization is also inferred in other regulations such as the Australian Privacy Act. The GDPR states the following on data minimization: “Personal data shall be:......adequate, relevant and limited to what is necessary in relation to the purposes for which they are processed (‘data minimisation’).”

What are the key elements of data minimization?

• Have detailed data classifications that define the data you hold.

• Collect and use only the data needed for the business purpose or service.

• Have clear policies on data retention and delete and/or archive data on a periodic basis.

• Conduct analysis of data sets to determine if the organization is holding duplicate and/or unused data.

What are the tools used for data minimization?

• Administrative tools and features in database, cloud, and big data platforms.

• Custom scripts.

• Package software tools and solutions for data archiving and retirement.

Here are additional resources to learn more about Data Minimization:

• UK ICO, Data Minimisation

• JD Supra, “Data: Minimization: FTC Cites Company For Failing To Delete Information It No Longer Needed”

• GDPR text, see Articles 5, 25, 47 and 89

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/data-minimisation/

https://www.jdsupra.com/legalnews/data-minimization-ftc-cites-company-for-47153/

https://www.jdsupra.com/legalnews/data-minimization-ftc-cites-company-for-47153/

https://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:02016R0679-20160504&from=EN



Data Negligence

Data negligence is the ineffective application of safeguards and controls to prevent the misuse of personal data.

Data negligence may be the result of not undertaking the correct measures to prevent a data breach and/or the misuse of personal data. Recent breaches and data misuse have been highlighted in cases against Equifax, Facebook, and Cambridge Analytica. A data breach is an occurrence where data is stolen or taken from an organization. Stolen information may include sensitive, proprietary, or classified data, for example, customer information and credit card details. Personal data misuse involves non-authorized staff viewing or transferring a customer’s personal data.

For the GDPR, negligence is cited twice in Article 83, ‘General conditions for imposing administrative fines.’ First, it states that violations can be negligent or intentional: “the intentional or negligent character of the infringement.” And second, it speaks to penalties regarding negligence or intentional acts: “If a controller or processor intentionally or negligently, for the same or linked processing operations, infringes several provisions of this Regulation, the total amount of the administrative fine shall not exceed the amount specified for the gravest infringement.” Under CCPA, negligence triggers the rights of consumers to file lawsuits for damages and compensation.

What are some examples of data negligence?

• Reliance on old or outdated security controls.

• Insufficient security controls (for instance, relying solely on encryption for data security).

• Software practices and policies that do not effectively keep applications and databases at the latest patch levels.

• Ineffective security and privacy training for staff who access software, data, and network resources.

Here are additional resources to learn more about data negligence:

• Thomson Reuters, “Who is liable when a data breach occurs?”

• NYU, “The Rise of Cyber Negligence Claims: Plaintiffs Find Receptive Judges by Going Back to Basics”

https://legal.thomsonreuters.com/en/insights/articles/data-breach-liability

https://wp.nyu.edu/compliance_enforcement/2019/03/06/the-rise-of-cyber-negligence-claims-plaintiffs-find-receptive-judges-by-going-back-to-basics/

https://wp.nyu.edu/compliance_enforcement/2019/03/06/the-rise-of-cyber-negligence-claims-plaintiffs-find-receptive-judges-by-going-back-to-basics/



Data Obfuscation

Data obfuscation hides the original content of data to protect identities and personal information.

Data obfuscation is frequently utilized interchangeably with data masking. Data obfuscation scrambles data in order to anonymize it. Data obfuscation is fundamental in many regulated industries where personally identifiable data must be shielded from overexposure.

As with data masking, special care should be taken in the use of obfuscation for de-identifying data. Even with identity information obfuscated, key data elements such as age, zip code, and sex may allow for individuals to be re-identified.

What are some examples of data obfuscation?

• First and last names are randomized to protect identity.

• A credit card number is presented as all zeros.

• Diagnostic codes are presented as all X’s.

How can organizations implement obfuscation via data masking?

• Custom scripts: Programmers write custom scripts to modify data fields related to personal or sensitive data.

• Packaged software: These data masking software tools and solutions provide templates for typical masking tasks (such as credit cards, SSN, phone) and support data sources typically found across the enterprise including cloud, hadoop, relational, mainframe, and file systems.

• Data management software: Some data integration and data management software have the ability to transform or anonymize personal or sensitive data fields.

Which departments or business functions are most likely to use obfuscation via data masking?

• Operations: For customer service representatives who only need partial sets of personal information to do their job.

• DevOps: Data masking can anonymize datasets for application testers to ensure that no private data is shared with internal or external testing or quality assurance teams.

• Analytics: Personal data with no relevant or authorized analytics purpose can be masked to limit privacy and security risks.



Here are additional resources to learn more about data obfuscation:

• UK ICO, “Anonymisation: managing data protection risk code of practice”, https://ico.org.uk/media/for-organisations/documents/1061/anonymisation-code.pdf

• NIST “De-Identification of Personal:” https://nvlpubs.nist.gov/nistpubs/ir/2015/NIST.IR.8053.pdf

• European Commission, recommendations on data anonymization: https://ec.europa.eu/justice/article-29/documentation/opinion-recommendation/files/2014/wp216_en.pdf

Data Portability

The Importance of Data Portability for Fulfilling Data Subject Rights

Data portability defines that individuals have the right to request a copy of their personal information and/or have their information shared or transmitted from one controller to another. The controller being the organization that has legally obtained the individual's information for a legitimate processing purpose (for instance a health provider or insurance firm). Both the GDPR and CCPA provide for data portability and this is a common feature for most privacy legislation worldwide. Data portability requests are considered a part of the data subject access request (DSAR) process.

Data portability is concerned with personal information on individuals and does not apply to information that has been anonymized or pseudonymized (this is specifically related to GDPR). Article 20 of the GDPR provides a description of the rights for data portability and includes this statement to help define the data portability concept: “The data subject shall have the right to receive the personal data concerning him or her, which he or she has provided to a controller, in a structured, commonly used and machine-readable format and have the right to transmit those data to another controller without hindrance from the controller to which the personal data have been provided…”

What are examples of data portability?

• A customer wants to know what data an organization holds on them and how that data is being shared and processed.

• A patient wants information from a family doctor to be shared with a specialty provider.

• A customer wants insurance information from an old carrier to be shared with a new provider.

• A student wants information provided to a new school.

https://ico.org.uk/media/for-organisations/documents/1061/anonymisation-code.pdf












Here are additional resources to learn more about Data Portability:

• UK Information Commissioner’s Office, Data Portability

• New America, “The Data Portability Act: More User Control, More Competition”

Data Privacy

Individuals should have control over the collection and use of their personal data

Data privacy provides individuals the control of the collection and use of their personal data. It requires companies to provide effective data protection, clearly disclose how personal data is collected and used, and provide privacy rights to individuals. Data privacy rights include the right to be forgotten, the right to portability, and the right to access (what data does the company have and how is it used).

Data privacy is distinct from data protection, which involves securing data against unauthorized usage or access.

IAPP provides this definition of data privacy, contrasting data privacy and data security:

“Data privacy is focused on the use and governance of personal data—things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used in appropriate ways. Security focuses more on protecting data from malicious attacks and the exploitation of stolen data for profit. While security is necessary for protecting data, it’s not sufficient for addressing privacy.”

What are the key data privacy laws?

• EU General Data Protection Regulation (GDPR): GDPR provides privacy rights for EU citizens so that they can control the use of their personal information by businesses, organizations, and governments.

• California Consumer Privacy Act (CCPA): The CCPA provides California residents with ownership and control of their personal data and requires companies to gain consent for the use of personal data and ensure adequate data protection.

• Singapore Personal Data Protection Act (PDPA): The PDPA provides stringent obligations for companies collecting, processing, or disclosing personal data. The PDPA provides data rights and requires companies to obtain consent and implement adequate data protection.

• Brasil’s Lei Geral de Proteção de Dados Pessoais (LBPD): The LGPD provides numerous rights to Brasilian citizens, including consent, data access, and the expectation of adequate protection of personal information.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-data-portability/

https://www.newamerica.org/oti/blog/data-portability-act-more-user-control-more-competition/



Here are additional resources to learn more about data privacy:

• International Association of Privacy Professionals (IAPP): https://iapp.org/

• European Commission: https://ec.europa.eu/info/law/law-topic/data-protection_en

• Electronic Privacy Information Center: https://www.epic.org/

• Future of Privacy Forum: https://fpf.org/

Data Privacy Automation

Data privacy automation replaces the manual tasks of privacy management and data inventory with automated capabilities. Because many data privacy requirements and consumer rights span multiple technologies and company staff, automation provides the only clear method for organizations to scale to global privacy requirements.

Why is Data Privacy Automation Needed?

• To account for the volume and variety of personal information an organization holds.

• Automation to support reliable consent and subject rights processing.

• Support for repeatable and predictable privacy processes.

• On demand intelligence on privacy readiness and incidents.

How Does a Company Implement Data Privacy Automation?

• Create in-house custom code and scripts.

• Supplement manual processes with custom privacy tools.

• Outsource privacy to a service provider.

• Implement data privacy solutions.

The management, monitoring and execution of privacy compliance readiness requires a range of functionality. Typically, products excel at either front office or back office functionality. Front office solutions focus on user tasks with capabilities for policy support, DSAR, and consent administration. Back office vendors focus on technical capabilities such as data inventory, risk analysis, and remediation. As with cybersecurity, organizations should look at the tools reviewed by peers, analysts, and privacy organizations and choose best of breed tools. Many of these tools have pre-built integrations and/or APIs to support heterogeneous privacy tool environments.

https://iapp.org/

https://iapp.org/

https://ec.europa.eu/info/law/law-topic/data-protection_en

https://ec.europa.eu/info/law/law-topic/data-protection_en

https://www.epic.org/

https://www.epic.org/

https://fpf.org/

https://fpf.org/



Here are additional resources to learn more about Data Privacy Automation:

• Forrester, “The Forrester New Wave™: GDPR And Privacy Management Software, Q4 2018”

• Gartner Research, “Hype Cycle for Privacy, 2018”

• IAPP Resources, 2019 Tech Vendor Report

Data Privacy Best Practices

Data Privacy Best Practices Emerging from Leading Organizations

Data privacy best practices provide guidance to organizations on how to obtain and manage compliance readiness. Best practices cover areas such as breach notification, territorial scope, DPIAs, binding corporate rules, data portability, and data protection officers. Several regulatory and standards organizations have developed best practices to help companies understand their responsibilities and to provide prescriptive guidance on implementing policies and controls. These best practices can be considered policy and process oriented, but do not make specific technological recommendations.

What are Some Examples of Data Privacy Best Practices?

• The European Data Protection Board (EDPB) has developed many guidelines for compliance with GDPR. This responsibility was set forth in Article 70 of the GDPR.

• The Business Software Alliance (BSA) has created a regulation neutral set of guidelines for data privacy. These guidelines represent practices that benefit all companies’ privacy efforts regardless of the regulation.

• The National Institute for Standards and Technology has a data privacy framework for organizations to leverage for data privacy readiness. This framework is regulation neutral and provides guidance for operations, policies, and controls to implement and manage data protection and privacy.

• The Personal Data Protection Commission (PDPC) in Singapore provides guidance for complying with the Singapore Personal Data Protection Act (PDPA).

What Are Best Practices/Requirements for Privacy Technology?

• Automation and Integration of Privacy Tasks: With the growing complexity and number of privacy regulations, organizations cannot rely on manual processes. Privacy regulations touch broad swaths of company data, staff, processes, and business partners. Without automation, compliance readiness and management would require unrealistic staff and collaboration challenges.

https://www.forrester.com/report/The+Forrester+New+Wave+GDPR+And+Privacy+Management+Software+Q4+2018/-/E-RES142698


https://www.gartner.com/en/documents/3882968

https://iapp.org/resources/article/2019-privacy-tech-vendor-report/



• Machine Learning (ML), Natural Language Processing (NLP) and Artificial Intelligence (AI): In support of automation, ML, NLP and AI allow the organization to track privacy data in context and not be bound to rigid rules and policies. Privacy data is dynamic and occurs in many forms and these capabilities allow organizations to keep track and manage exponentially growing, geographically dispersed and structurally diverse datasets.

• Scalability: Most organizations will double their data every 18 months; in addition, new users, new applications and business partners will require organizations to monitor broad landscapes for privacy readiness and compliance.

Here are additional resources to learn more about Data Privacy Best Practices:

• European Data Protection Board, “GDPR: Guidelines, Recommendations, Best Practices”

• Business Software Alliance, “Global Privacy Best Practices”

• National Institute for Standards and Technology, Data Privacy Framework

• Technopedia, “Better to Ask Permission: Best Practices for Privacy and Security”

Data Privacy Risk

Privacy Risk Drives Privacy Policies, Practices, and Controls

Data privacy risk measures the likelihood of misuse or unauthorized access of personal data. Under GDPR, both the controller and processor need to understand and minimize risk. Data protection impact assessments help organizations identify and quantify risks for remediation and disclosure to customers. Privacy impact assessments (PIAs) provide the same intelligence to organizations, revealing where and what privacy risks exist.

The National Institute of Standards and Technology (NIST) in the United States has developed a privacy risk framework.

What are typical data privacy risks?

• Unauthorized use (beyond stated policy and user consents): Privacy regulations dictate that data should only be collected and used for specific business purposes and within consents granted by customers.

• Unauthorized access: Based on geographies and the need to know, organizations must tightly control access to personal data. For instance, customer service reps for a North American support group would not need to access the personal data of EU citizens.

• Unauthorized transfer: Regarding cross border transfers, organizations must have tight controls on where data is transferred both internally and externally.

https://edpb.europa.eu/our-work-tools/general-guidance/gdpr-guidelines-recommendations-best-practices_en

https://www.bsa.org/sites/default/files/2019-03/2018_BSA_Global_Privacy_Best_Practices.pdf

https://www.nist.gov/sites/default/files/documents/2019/04/30/nist-privacy-framework-discussion-draft.pdf

https://www.techopedia.com/17/32585/trends/better-to-ask-permission-best-practices-for-privacy-and-security



• Deception: Organizations must be clear and transparent on how they will utilize personal information and provide clear and complete responses to DSARs and consent requests.

• Financial injury: In the case of data breaches or unauthorized disclosure, financial injury relates to the real or statutory damages that result from personal data disclosure to malicious sources. For GDPR, fines can amount to 4% of revenue and with CCPA statutory fines can be up to $7,500 in fines and $750 per instance in civil court.

• Reputational injury: Reputational damage is typically damage to a company’s brand that could cause the delay or cancellation of sales and services.

How can organizations measure privacy risk?

• Analysis by internal risk teams.

• Outside risk consultancies and services.

• Risk calculations of privacy and security software tools.

Here are additional resources to learn more about privacy risk:

• NIST, privacy risk framework

• UK Information Commissioner’s Office, Privacy impact assessments summary

• Wikipedia, privacy impact assessments

Data Privacy Solutions

Data Privacy Solutions Enable Organizations to Automate Privacy Operations

The passage and implementation of GDPR has driven the rise of vendors offering data privacy solutions. Many of these tools and solutions were available prior to GDPR, but GDPR provided a prescriptive framework and requirements that laid the foundation for the capabilities of these tools.

Data privacy solutions help organizations conduct data protection impact assessments (DPIAs), create a record of processing activities, understand their data privacy risk and remediation needs, manage subject rights and consents, and track and report on compliance readiness. Data privacy tools are more focused and provide specific functions for subject rights, data protection, or other privacy needs.

http://www.nist.gov/privacy-framework

https://ico.org.uk/media/about-the-ico/consultations/2047/pia-executive-summary.pdf

https://en.wikipedia.org/wiki/Privacy_Impact_Assessment



What Functions do Data Privacy Solutions Provide?

While not exhaustive, the following capabilities are typically found in data privacy solutions or offered as a tool for specific functionality:

• Management of data privacy policies and notices.

• Dashboards, reports, and visualizations of privacy readiness, actions, and alerts.

• Discovery, classification, and risk analysis of personal and sensitive data.

• Catalog of processing activities.

• Subject rights request management.

• Consent management.

• Vendor risk management.

The management, monitoring, and execution of privacy compliance readiness requires a range of functionality. Typically, products excel at either front office or back-office functionality. Front-office solutions focus on user tasks with capabilities for policy support, DSAR workflows, and consent administration. Back office vendors focus on technical capabilities such as data inventory, risk analysis, and remediation.

As with cybersecurity, organizations should look at the tools reviewed by peers, analysts and privacy organizations and choose best of breed tools. Many of these tools have pre-built integrations and/or APIs to support heterogeneous privacy tool environments.

Here are additional resources to learn more about Data Privacy Solutions and Tools:

• Forrester, “The Forrester New Wave™: GDPR And Privacy Management Software, Q4 2018”

• Gartner Research, “Hype Cycle for Privacy, 2018”

• IAPP Resources, 2019 Tech Vendor Report

Data Processor

Data Processor’s Store or Process Personal Data for the Data Controller

Typically, a third party to an organization, the data processor analyzes, stores, transforms or performs some form of processing of personal data for the data controller. The data controller (the organization who owns and controls the data) may also perform data processor functions in the execution of normal business processes. Data processors do not own the data and their activities



https://www.gartner.com/en/documents/3882968

https://iapp.org/resources/article/2019-privacy-tech-vendor-report/



are controlled and directed by the data controller. However, the processor is bound by the rules and obligations applicable to the controller.

GDPR provides specific definitions and responsibilities for data processors as well as data controllers. Data processors are bound by GDPR requirements regardless of their location so long as their service includes the processing of EU citizen data for the data controller.

Article 28 of the GDPR defines the processor and responsibilities. From Article 28, the following provides context to the definition and role of processors: “Where processing is to be carried out on behalf of a controller, the controller shall use only processors providing sufficient guarantees to implement appropriate technical and organisational measures in such a manner that processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject.”

What are examples of data processors?

• Cloud storage provider.

• Accounting, payroll, or tax firm.

• Payroll service provider.

• SaaS application provider (Salesforce, OneLogin, etc).

• Market research organization.

• HR service provider.

• IT services firm.

Here are additional resources to learn more about data processors:

• European Commission, GDPR regulation text (search on term processor)

• European Commission, “What is a data controller or processor?”

Data Protection Authority

Data Protection Authorities Ensure GDPR Compliance in EU Member States

Each member state in the EU has a data protection authority (DPA), which is used synonymously with supervisory authority in the GDPR regulation text. The DPA oversees the application of data protection relevant to GDPR in their respective member states. They also act as the primary liaison for the member states and the EU.





Supervisory authority is mentioned over 200 times in the GDPR and has the general description: “Each Member State shall provide for one or more independent public authorities to be responsible for monitoring the application of this Regulation, in order to protect the fundamental rights and freedoms of natural persons in relation to processing and to facilitate the free flow of personal data within the Union (‘supervisory authority’).”

Articles 51 through 67 define and spell out the responsibilities of the supervisory authority, which is the DPA of each EU member state. In addition to overseeing the application and enforcement of GDPR in their member states, each DPA also participates in the European Data Protection Board.

What are the key responsibilities of a data protection authority?

● Audit member organizations for proper data protection and privacy practices.

● Promote awareness and understanding of data protection and privacy practices.

● Provide clarifying guidelines as needed.

● Ensure compliance of rules through fines as needed.

Here are additional resources to learn more about Data Protection Authorities:

• European Commission, “What are data protection authorities (DPAs)?”

• Privacy Shield, DPA LIAISON AT THE DEPARTMENT OF COMMERCE

• European Commission, GDPR Fact Sheet

Data Protection Officer

DPOs Monitor Privacy Risk and Compliance for Their Organization

While the position of Data Protection Officer (DPO) had existed in countries like Germany and France since the 1990’s, GDPR crystallized the need and role of the position. GDPR Articles 37, 38 and 39 define the roles and responsibilities of the DPO and Articles 8 and 9 define its data responsibilities. The DPO should monitor overall privacy risk and compliance for their organization and act as the conduit with national supervising authorities.

The Data Protection Officer (DPO) is a closely related role to the CPO. The DPO is a mandated role in GDPR who works with the local Data Protection Authority (DPA) to ensure compliance with the regulation. Very few companies have combined the roles as the CPO is seen as an advocate for the company while the DPO is an advocate for the DPA.

Section 4, articles 37-39 define the role and responsibilities of the data protection officer.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-are-data-protection-authorities-dpas_en

https://www.privacyshield.gov/data-protection-authorities

https://ec.europa.eu/commission/sites/beta-political/files/data-protection-factsheet-who-does-what_en.pdf



What are the primary tasks of the DPO? From the GDPR text, this is how the regulation defines DPO responsibilities:

1. The data protection officer shall have at least the following tasks:

a. to inform and advise the controller or the processor and the employees who carry out processing of their obligations pursuant to this Regulation and to other Union or Member State data protection provisions;

b. to monitor compliance with this Regulation, with other Union or Member State data protection provisions and with the policies of the controller or processor in relation to the protection of personal data, including the assignment of responsibilities, awareness-raising and training of staff involved in processing operations, and the related audits;

c. to provide advice where requested as regards the data protection impact assessment and monitor its performance pursuant to Article 35;

d. to cooperate with the supervisory authority;

e. to act as the contact point for the supervisory authority on issues relating to processing, including the prior consultation referred to in Article 36, and to consult, where appropriate, with regard to any other matter.

2. The data protection officer shall in the performance of his or her tasks have due regard to the risk associated with processing operations, taking into account the nature, scope, context and purposes of processing.

Here are additional resources to learn more about DPOs:

• UK Information Commissioner’s Office, Data Protection Officers

• European Commission, GDPR text, articles 37, 38 and 39

Data Redaction

Redaction makes private or sensitive data illegible

Redaction is the permanent removal of information from a physical or electronic document by covering, blurring or distortion of data to remove personal, sensitive, or intellectual property data. Typically, this method is used for documents that contain relevant information for electronic discovery or for court presentation but also contain sensitive information not related to the actual evidence. Redaction can be accomplished with a stamp or blackout marker for physical documents

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-officers/




and is a feature available in data redaction freeware, software packages, and in some data masking solutions (to blackout, blur or distort the original data).

By redacting personal data in physical and electronic documents, these records are effectively anonymized or de-identified to help control the access of personal and/or sensitive information.

What are some examples of data redaction?

• Blurring of data so that it is unreadable.

• Distortion of data so that it is unreadable.

• Blocking of data.

• Blacking block overlay of original data.

How do organizations accomplish data redaction?

• Manual tasks on physical documents. A sharpie!

• Custom scripts that allow users to select and redact specific information.

• Freeware; many tools exist that allows users to redact text in PDF documents.

• Commercial data redaction tools and software solutions.

• Additionally, some data masking vendors provide data redaction capabilities in their products.

Here are additional resources to learn more about redaction:

• UK ICO, “Anonymisation: managing data protection risk code of practice”

• NIST “De-Identification of Personal”

• European Commission, recommendations on data anonymization

Data Retention

Data retention is about providing rigor around how long certain data is stored

Data retention is the continuous storage of a company’s data and/or documents for compliance or business reasons. Data is retained for a number of reasons. To properly service and retain customers organizations need to maintain records on customer purchases, contact details, and preferences. Additionally, organizations may need to retain customer records for regulatory audits and legal purposes. From a privacy perspective, customer/personal information should only be







retained when there is a business, legal or regulatory need. This concept is known as ‘data minimization’.

What are some examples of data that companies need to retain?

• Customer purchases, warranties, and physical and electronic communications (emails, letters, faxes).

• Documents and emails related to day-to-day operations.

• Data and communications to customers, prospects, and other solicitations.

• Contracts, financial records, and transactions.

• HR and payroll data.

• Call center records.

• Web and other electronic logs.

What are the key issues that affect how long data is retained?

• Regulatory requirements such as GDPR, CCPA and various state laws.

• Industry regulations such as HIPAA and PCI.

• Duration of customer relationship (for instance specific years of leases or service agreements).

• Legal issues (discovery requests, lawsuits).

Here are additional resources to learn more about data retention:

• Security Intelligence, “5 Key Steps to Developing Your Global Data Privacy Program”

• IAPP, various resources


• UK ICO, “Guide to the General Data Protection Regulation (GDPR)”

• European Commission, GDPR regulation text

https://securityintelligence.com/5-key-steps-to-developing-your-global-data-privacy-program/

https://iapp.org/search/#!?q=data%20retention


https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/




Data Steward

A Data Steward Helps Ensure Data Quality and Good Data Governance

A data steward ensures the quality, definition, and appropriate use of data. The data steward typically works for and under the direction of the data owner. Data stewards may focus on specific data types, such as business, process, or system data. They are the internal experts about the companies’ data and responsible for documenting the data and monitoring data quality, protection, and compliance.

What are the key responsibilities of data stewards?

• Ensure data is defined for its purpose, systems, processes, and lineage.

• Monitor and ensure data quality meets business needs.

• Monitor adherence to data governance goals and strategies.

• Work with security and privacy to ensure data protection and usage meets compliance requirements.

• Provides guidance to data projects such as master data management, integration, and archiving.

What background is required to perform the tasks of a data steward?

Here is a sample of data steward job requirements that appear in job listings:

• Proven experience in implementing data governance and data management principles in an organization

• Proven experience in creating data standards, requirements, rules, diagrams, and data dictionaries

• Ability to work with a wide range of stakeholders including business teams, analysts and technical teams

• Strong organizational and communication skills, in particular, experience communicating with all levels of management

• Sound problem-solving and decision-making ability, including the ability to prioritize

Here are additional resources to learn more about Data Stewards:

• Dunn and Bradstreet, “Why You Need a Data Steward and Best Practices to Do it Right”

• Datanami, “Don’t Overlook the Importance of Data Stewards'”

https://docs.google.com/document/d/1Z_bOdRrgzhjXKzpH-QdyTnzOIlyWq-CR7hcnzHZ2uH0/edit?pli=1

https://www.datanami.com/2019/05/15/dont-overlook-the-importance-of-data-stewards/



• The Information Accountability Foundation, “Data Stewards Not Fiduciaries”

Data Subject

Data Subjects are at the Center of Privacy Law and Compliance

A data subject is an identifiable person whose personal data is regulated by the privacy laws for his nation/state. The term data subject was first broadly used in the EU Data Protection Directive of 1995, and is now the foundation for GDPR. In GDPR, data subjects are referred to as individuals (that reside in the EU) while in CCPA they are referred to as California consumers (California residents).

GDPR specifically defines the data subject as: “an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.”

Why is the data subject so important to privacy?

• The data subject is granted numerous rights and expectations by GDPR.

• The data subject has ultimate control of their data (detailed in data subject rights).

• Organizations must pay special attention to the information they hold on data subjects; they are expected to have reasonable controls, processes, and policies to ensure that the privacy of the data subject is upheld.

What are typical data subject rights?

• The right to understand what data an organization holds on a person and how it is used (right to access).

• The right to be forgotten or deleted.

• Expectation of reasonable security.

• Right to portability, requesting and moving data from and to service providers.

Here are additional resources to learn more about data subject:

• UK Information Commissioner’s Office, Data Subject

• GDPR regulation text

http://informationaccountability.org/data-stewards-not-fiduciaries/

https://ico.org.uk/for-organisations/data-protection-fee/legal-definitions-fees/




Data Subject and Consumer Rights

Data Subject Rights and Consumer Rights as Defined by Privacy Law

GDPR and CCPA both provide rights to individuals regarding the control and protection of their personal data. The rights are similar but different and individuals are referred to as data subjects in GDPR and consumers in CCPA. In addition, COPPA in the US deals specifically with the privacy rights of children under the age of 13. Under GDPR, data subjects must agree to how their data is used and the controller must ensure that their data is only used as allowed by law or by contract.

While the following focuses on GDPR and CCPA, generally privacy regulations provide basic rights to individuals regarding their personal data, including the right to be forgotten, portability, access, error correction, and expectation of security.

What are some of the rights provided by GDPR?

• Right to understand in clear language about how and why their data is used.

• The right to have errors corrected in their data.

• The right to have their data removed, referred to as the right to be forgotten.

• The right to restrict how an organization uses their data.

For CCPA, consumers own and control their data and can hold companies responsible for the security of their data.

What are some of the rights provided by CCPA?

• Consumers control if their data is shared or sold by companies.

• Consumers have the right to have their data deleted.

• Companies will have privacy and security controls to safeguard consumer’s data.

What are the rights provided by COPPA?

• Parents must consent for obtaining personal information of children under age 13.

• Privacy policies must detail how consent is obtained and how information is protected.

• Parents must be provided information on how their children’s information will be used and how to access the collected information.

• Companies must only retain the child’s information as reasonably needed.



Here are additional resources to learn more about data subject rights and consumer rights:

• UK Information Commissioner’s Office, Data Subject Rights


• Californians For Consumer Privacy, Facts on CCPA

• Federal Trade Commission, Children’s Online Privacy Protection Act (“COPPA”)

Data Subject Access Request (DSAR)

Data Subject Access Requests Give Individuals Control of Personal Data

Under GDPR citizens have rights, executed through data subject access requests (DSARs) that they can exercise with any company (the controller) that holds their personal and sensitive information. The citizen can contact the Data Protection Officer, or utilize the company’s website or customer support to initiate their DSAR. The company then has 30 days to respond to the request.

What are some of the DSARs that may be requested?

• Request information on how your data is used and processed.

• Request that any information the company holds is deleted.

• Request that your information is corrected.

• Request that your information use is restricted.

• Request that your information transferred to another service provider.

How do organizations process DSARs?

Most organizations have web forms that allow individuals to submit DSAR. These forms are then submitted to backend systems, potentially a CRM, marketing automation solution or a privacy automation solution. Key for these systems is the logging, management, monitoring, and reporting of all DSARs. However, organizations must have a continuous view of each individual’s data footprint to ensure they can fulfill the DSAR on the backend.

Here are additional resources to learn more about DSARs:

• IAPP, list of resources, Data Subject Requests

• UK Information Commissioner’s Office, What are my rights


https://ec.europa.eu/search/?queryText=data+subject+rights&query_source=europa_default&page=2&filter=&swlang=en&filterSource=europa_default&more_options_date=*&more_options_language=en&more_options_f_formats=*


https://www.techopedia.com/gdpr-do-you-know-if-your-organization-needs-to-comply/2/33826

https://www.ftc.gov/enforcement/rules/rulemaking-regulatory-reform-proceedings/childrens-online-privacy-protection-rule

https://iapp.org/search/#!?q=dsar

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/what-are-my-rights_en




FTC

The FTC Enforces Fair Trade and Competition in the United States

The Federal Trade Commission (FTC) was established in 1914 and is responsible for protecting US consumers and encouraging fair competition. Specifically, it battles unfair, deceptive, and fraudulent practices in the marketplace. And it monitors the market for monopoly situations that could impact consumers negatively.

For privacy and security, the FTC is the primary enforcement agency in the US. It ensures that consumers’ privacy rights are protected and that companies meet the privacy policies that they have committed to with their customers.

The FTC also administers and manages COPPA. COPPA stands for the Children's Online Privacy Protection Rule of 1998 (USC 15 USC 6501). This US regulation provides for the privacy protection of children under age 13. Specifically, website operators, online services, and mobile applications must obtain parental permission to obtain any personal information on the child. And the operator must state their privacy policy for obtaining parental consent and how they protect children's information.

What are some of the responsibilities of the FTC?

• Monitor and enforce the privacy rights of consumers.

• Monitor and enforce the privacy rights of children under 13 (COPPA).

• Investigate data breaches for negligence.

• Monitor and bring action against companies that engage in unfair trade practices.

• Monitor and take action against companies that engage in deceptive trade practices.

• Monopolistic mergers and acquisitions.

• Provide alerts for citizens.

• Maintain a do not call registry.

• Collect and investigate consumer trade and monopoly complaints.

Here are additional resources to learn more about the FTC:

• Federal Trade Commision Website

• Federal Trade Commission on Facebook

https://www.ftc.gov/

https://www.facebook.com/federaltradecommission

https://www.facebook.com/federaltradecommission



GDPR

GDPR Key Principles and Provisions for Privacy Rights and Protections

The General Data Protection Regulation (GDPR) represents the maturation of European Union (EU) privacy law and provides a benchmark for all other privacy legislation. GDPR provides privacy rights for EU citizens so that they can control the use of their personal information by businesses, organizations, and governments. This regulation has worldwide implications as most organizations who have EU citizen data need to comply with its provisions.

The law was effective April 25, 2018 and provides for significant fines for non-compliance, up to €20M or 4% of global revenues. The legislation defines responsibilities via 99 articles that detail the specific responsibilities of organizations to support the data privacy, consent, and rights of EU citizens.

What are the key principles of GDPR that should guide organizations’ privacy policies and practices?

1. Have a lawful purpose for collecting an EU citizen’s data.

2. Be clear on how data will be used.

3. Limit the data held on EU citizens to only support lawful use and stated purposes.

4. Take reasonable measures to ensure that EU citizen data is accurate.

5. Not store EU citizen data longer than needed for business purposes or required by policies.

6. Ensure the integrity and security of EU citizen data.

7. Take responsibility for the processing of EU citizen data.

What are the key provisions of GDPR that organizations need to fulfill?

1. Have a lawful basis for processing citizen data such as a specific consent, contract, or legal obligation.

2. Ensure data privacy rights are provided to EU citizens (right to be forgotten, right to access, erasure, restrict processing, etc.).

3. Organizations should demonstrate accountability and governance (with data protection by design, routine privacy assessments, assignment of a data protection officer, documentation of data use, etc.).

4. Organizations should implement reasonable data security (with appropriate technical measures and controls, data encryption, user authentication, pseudonymization and anonymization).



5. Provide notification of breaches within 72 hours and have strong breach prevention controls and thorough response/investigation processes.

6. Restrict and ensure strong protection of data transferred outside the EU.

Here are additional resources to learn more about GDPR:

• UK ICO, “Guide to the General Data Protection Regulation (GDPR)”

• European Commission, data protection/GDPR resources


HIPAA

What is the Health Insurance Portability and Accountability Act (HIPAA)?

The Health Insurance Portability and Accountability Act (HIPAA) of 1996 was enacted in the United States to improve the handling, protection, and privacy of personal and health information of individuals. It consists of (5) titles that specify the availability of health plans, the privacy and security of health and personal information, medical savings account guidelines, rules on pre-existing conditions, and provisions for corporate tax deductions of company-owned life insurance. For privacy, HIPAA has numerous provisions in Title II regarding access, privacy, and the use of personal and health information.

What are some of the ways HIPAA addresses the privacy of individuals’ health and personal information?

• Privacy rule: defines what information is protected health information (PHI), prescribes how information can be disclosed, and requires health organizations to take reasonable steps to ensure the privacy of PHI.

• Right to access: provides individuals the right to access their PHI and/or to transfer their information to other providers.

• Security rule: provides for the protection of PHI via (3) distinct safeguards; administrative, physical, and technical. Administrative safeguards deal with the policies and procedures of health organizations. Physical safeguards specify how computer hardware and software devices can be accessed by individuals and protected physically. Technical safeguards provide guidance on the technical controls that ensure that PHI access is limited to authorized users, protected from malicious access and activities, and that systems are configured and maintained to limit known vulnerabilities.

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en




Here are additional resources to learn more about HIPAA:

• IAPP, glossary of privacy terms, Health Insurance Portability and Accountability Act

• Wikipedia, HIPAA

• US Government Publishing Office, Health Insurance Portability and Accountability Act of 1996, link to text

Logs

Logs provide a record of events for servers, databases, applications, or security systems. They support audit, compliance measurement, trend analysis, and anomaly detection.

What are logs within the context of data privacy?

For privacy, logs can provide these capabilities in a privacy-context, supporting intelligence, automation, and reporting for data subject rights, privacy violations, compliance readiness, and regulatory reporting. But logs may also introduce risks if personal data is not considered.

What type of privacy risks exist within logs?

Logs themselves can introduce privacy risk by capturing the personal information of data subjects and/or by tracking the activities of data subjects outside the bounds of specific or implied consent. Therefore, log data must be treated as any other data source in regards to privacy policies, processes, and controls.

What are common types of logs?

• Database log: Capability writes specified events to a file to track updates, access, and errors related to a database management system.

• Application log: Function written in the application itself, independent of database or operating system that writes application events, errors, and warnings to a file.

• Security log: Capability, either in the application, database, operating system or security software that writes security related events to a file. Examples of security logs include unauthorized access attempts, suspicious activity, and malicious code detection.

Here are additional resources to learn more about logs:

• NIST, “Guide to Computer Security Log Management:” https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf

• InfoSec Handbook Blog “Web server security – Part 6: GDPR-friendly logging, and server monitoring:” https://infosec-handbook.eu/blog/wss6-logging-monitoring/


https://en.wikipedia.org/wiki/Health_Insurance_Portability_and_Accountability_Act

https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf

https://www.govinfo.gov/content/pkg/PLAW-104publ191/pdf/PLAW-104publ191.pdf

https://nvlpubs.nist.gov/nistpubs/Legacy/SP/nistspecialpublication800-92.pdf



https://infosec-handbook.eu/blog/wss6-logging-monitoring/

https://infosec-handbook.eu/blog/wss6-logging-monitoring/



NIST Privacy Framework

The NIST Privacy Framework Helps Organizations Manage Privacy Risk

The National Institute for Standards and Technology (NIST) provides technical guidance for numerous technologies and industries. The unit is in the US Department of Commerce and began in 1901 as the bureau of standards and measures, renamed to NIST in 1988. For data security and privacy, NIST released the Cybersecurity Framework in 2014 and launched the NIST Privacy Framework in January of 2020.

The NIST Privacy Framework provides guidance for organizations to better identify, assess, manage, and communicate about privacy risks. Organizations can leverage the Privacy Framework to help assess their privacy readiness and to conduct Data Protection Impact Assessments as required by GDPR.

What are the Components of the NIST Privacy Framework?

1. The Core: The Core provides the basic operational guidelines for privacy. Directly from the April 30, 2019 working draft: “The Core consists of five concurrent and continuous functions—Identify, Protect, Control, Inform, and Respond. Together these functions provide a high-level, strategic view of the life cycle of an organization’s management of privacy risk.”

2. The Profile: The Profile enumerates the privacy goals of an organization. Based on business objects and goals, companies can create a current profile and a target profile, with the delta representing the privacy improvements the company wants to achieve. The achievement to the target state can be leveraged as a privacy Key Performance Indicator.

3. Implementation Tiers: The implementation tiers provide a status of the company’s current state of readiness. The Privacy Framework provides definitions for the tiers that progress from partial, risk-informed, repeatable, and adaptive.

Here are additional resources to learn more about the NIST Privacy Framework:

• NIST Website, Privacy Framework

• NIST Website, Discussion Draft, Privacy Framework

• IAPP Privacy Advisor, Article on Privacy Framework for DPIAs

• IAPP Privacy Perspectives, Article on Privacy Framework Progress

https://www.nist.gov/privacy-framework

https://www.nist.gov/sites/default/files/documents/2019/04/30/nist-privacy-framework-discussion-draft.pdf

https://iapp.org/news/a/using-nists-risk-management-framework-to-conduct-gdpr-compliant-dpias/

https://iapp.org/news/a/nist-privacy-framework-nearing-completion/



Personal Data

Personal Data Explained as Defined By the GDPR and the CCPA

Personal information serves as the foundation for the definitions and policies of European data privacy regulations. In Article 4, GDPR provides guidelines for defining personal information but does not provide a definitive list. As defined by the General Data Protection Regulation (GDPR), personal information provides identifying data of a natural person. The data can be related to identity, health, or financial information. Generally, personal data is any information that can be used to identify a specific person.

Requirements for the California Consumer Privacy Act (CCPA) went into effect on January 1, 2020. Like GDPR, the CCPA is broad in its definition of “personal information.” It defines it as personal information that “could reasonably be linked, directly or indirectly, with a particular consumer or household.”

You won’t find the word “household” in GDPR. It implies that personal information doesn’t have to be tied to a specific name or individual (think home address, home devices, geolocation data, home network IP addresses, and the like).

A related but slightly different term is PII (Personal Identifying Information). PII relates to data that by itself could lead to the identity of an individual. Examples would be a unique national identifier, passport, or driver’s license number.

What are examples of personal data?

• First and last name.

• Home address.

• Email address that contains a first and last name ([email protected]).

• Identification cards.

• Location data (for example the location data function on a mobile phone)

• Internet Protocol (IP) address.

• A cookie ID

• The advertising identifier of your phone.

• Data held by a hospital or doctor, which could be a symbol that uniquely identifies a person.

Here are additional resources to learn more about personal data:

• UK ICO

https://integris.io/five-things-to-do-prepare-ccpa/

https://integris.io/five-things-to-do-prepare-ccpa/

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/what-is-personal-data/what-is-personal-data/



• European Commission

• Californians for Consumer Privacy

Phishing

Phishing Must Be Considered for Privacy Controls and Data Protection

Phishing is a deception communication via email or a messaging service that deceives and entices users to open a malicious link or attachment. The phishing email may look like an email from a user’s employer, bank, or another known service provider. The link or attachment will then load an exploit that allows hackers to use a user's system for nefarious reasons.

What are the precautions to take to prevent phishing:

• Use refreshed PC security apparatuses, for example, anti-virus software, spyware, and firewalls.

• Never open suspicious or unknown email attachments.

• Never uncover individual data asked for by email, for example, your name or credit card number.

• Check that the site URL is legitimate by typing the real address in your web browser.

• Check the site's telephone number before ringing the number provided in the email.

What is the impact of phishing on privacy?

• If users are not properly trained on how to avoid phishing, data misuse or loss can occur through an exploit.

• Organizations need to have proper controls, policies, and processes in place to prevent phishing as part of an adequate data protection program.

• Phishing is one of the top 10 attack vectors for hackers.

Types of phishing methods:

• Spear phishing: A malicious email targets a specific individual.

• Whaling: This phishing approach targets high wealth or powerful individuals.

• Cloning: A legitimate email is modified to exploit the recipient.

• Link manipulation: Seemingly legitimate links take users to malicious content.

https://ec.europa.eu/info/law/law-topic/data-protection/reform/what-personal-data_en

https://www.caprivacy.org/



Here are additional resources for information on Phishing:

• SANS Institute article on Phishing

• European Commission anti-Phishing Initiative

Privacy by Design

Privacy by Design Ingrains Privacy into Business Operations

Privacy by Design is the strategy of systematically incorporating privacy safeguards and controls into business operations, processes, and applications.

What are the benefits of Privacy by Design?

When privacy becomes a fundamental consideration of all operations, it helps organizations improve the effectiveness of privacy efforts and reduces the costs and complexities of compliance readiness.

What is the history and founding principles of Privacy by Design?

Privacy by Design as a specific term was first outlined in a framework in the mid-1990s by the information and privacy commissioner of Ontario, Canada, Ann Cavoukian. Ann outlined seven foundational principles which still hold true today:

1. The Privacy by Design (PbD) framework is characterized by taking proactive rather than reactive measures. It anticipates risks and prevents privacy invasive events before they occur.

2. Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice as the default.

3. Privacy measures are embedded into the design and architecture of IT systems and business practices.

4. Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through the dated, zero-sum (either/or) approach, where unnecessary trade-offs are made.

5. Privacy by Design, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved —strong security measures are essential to privacy, from start to finish.

https://www.sans.org/security-awareness-training/ouch-newsletter/2015/phishing

https://www.sans.org/security-awareness-training/ouch-newsletter/2015/phishing

https://ec.europa.eu/home-affairs/financing/fundings/projects/HOME_2013_ISEC_AG_INT_4000005246_en

https://ec.europa.eu/home-affairs/financing/fundings/projects/HOME_2013_ISEC_AG_INT_4000005246_en



6. Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification.

7. Above all, Privacy by Design requires architects and operators to keep the interests of the individual top of mind by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.

How do the principles of Privacy by Design play into the current regulatory environment?

GDPR requires that businesses use Privacy by Design principles as specified in Article 25. Within GDPR, Privacy by Design is defined as data protection by design and default. This provides guidance that the data controller should implement organizational and technical controls focused on ensuring the rights of the data subject.

Here are additional resources to learn more about Privacy by Design:

• Ryerson University, Privacy by Design Centre of Excellence

• International Association of Privacy Professionals (IAPP) (various resources)

• European Commission, Privacy by Design

Privacy Impact Assessment

Privacy Impact Assessments Assess Privacy Risks and Gaps for Companies

Privacy impact assessments (PIAs) help organizations determine the privacy risks of using and processing personal data. PIAs typically follow three critical steps. First, PIAs determine how personal data is used by the organization and if the processing conforms with regulations. Second, they analyze the risk of personal data based on how the data is accessed and used. Third, they evaluate what processes, controls or protections would reduce privacy risk and improve compliance.

GDPR calls out PIAs as data protection impact assessments in Article 35 for processing that may create high risk. Not all legislation call out PIAs specifically, but PIAs represent a best practice for assessing overall privacy readiness. The specific requirements of PIAs vary based on what privacy regulation they target.

How are Privacy Impact Assessments accomplished?

1. Manual processes: through surveys, interviews, and documentation, organizations review how personal data is used and protected. Given volume and breadth of data sources, manual processes may be time consuming and prone to inaccuracies.

https://www.ryerson.ca/pbdce/

https://www.ryerson.ca/pbdce/

https://iapp.org/search/#!?q=privacy%20by%20design

https://iapp.org/search/#!?q=privacy%20by%20design

https://ec.europa.eu/eip/ageing/standards/ict-and-communication/data/pbd-privacy-design_en

https://ec.europa.eu/eip/ageing/standards/ict-and-communication/data/pbd-privacy-design_en



2. Automated solutions: packaged software can automate many components of PIAs, providing automated personal data discovery and classification. Additionally, these privacy solutions evaluate risk based on factors such as protection, number of users and geographic dispersion and movement of personal data. Organizations can have continuous assessment of personal data with these solutions.

3. Service providers: can provide the staff and tools to perform PIAs for organizations that do not have the resources and/or expertise to conduct the analysis.

Here are additional resources to learn more about privacy impact assessments:

• UK ICO, “Data protection self assessment”

• European Commission, GDPR regulation text (article 35)

Privacy Shield

Privacy Shield Governs EU-US Data Transfers of Personal Data

The Privacy Shield provides organizations the requirements and obligations for United States companies to transfer data to and from European Union states. US companies self-certify following the guidelines from the US Department of Commerce and commit to following privacy and protection principles. The Privacy Shield was approved by the EU Commission on July 12, 2016 and is reviewed annually by the EU to ensure that Privacy Shield principles and enforcement are adequate.

The US Department of Commerce provides details, guidance, and administrative support for self-certification. In self-certifying, organizations are attesting to providing rights and protections to individuals. This includes:

• Notice of participation in Privacy Shield and personal information the organization collects.

• Choice options for individuals on how their information is used.

• Accountability for onward transfer: the member will ensure that the 3rd party honors notice, choice, limits of processing, and provides adequate protection.

• Security: organization will have reasonable security in place to protect personal data.

• Access: in that the organization must provide subjects rights of what is held, deletion, and correction.

• Recourse, enforcement and liability: organizations must have processes in place to handle complaints, monitor compliance, and remediate incidents.

https://ico.org.uk/for-organisations/data-protection-self-assessment/

https://ico.org.uk/for-organisations/data-protection-self-assessment/





What are the key requirements of Privacy Shield?

Organizations must adhere to several requirements to comply with Privacy Shield requirements. The requirements include data protection, consent, and subject rights:

• Ensure data integrity and limit utilization.

• Be accountable for data transferred to third parties.

• Limit transfers to parties that will ensure data protection and appropriate data processing.

• Respond in 90 days to complaints filed with an EU DPA or 45 days if filed directly to company.

Here are additional resources to learn more about Privacy Shield:

• Department of Commerce, Privacy Shield Framework

• UK ICO, EU-US Privacy Shield

• TechCrunch, “EU-US Privacy Shield passes third Commission ‘health check’ — but litigation looms”

Pseudonymization

Pseudonymization’s Role in Data Privacy Protection and Analytics

Pseudonymous data cloak the identity of the real person. Much like anonymous data, pseudonymization changes characteristics such as the name, identity, numbers and other attributes of a person so that a person cannot be correlated back to their data record.

What is the difference between anonymization and pseudonymization?

The key difference between anonymization and pseudonymization is that pseudonymization provides a methodology for the data record to be re-identified. Secret keys (hash codes) can be used to point back to the original data in case data needs to be re-identified.

An example would be a medical researcher conducting analytics on a pseudonymized data set. In the research, one of the data records indicates a likelihood of cancer. In this case, the researcher can inform the data controller of the results and the data controller could use their secret key related to the record to identify the individual so that they could be notified, and proper action could be taken for medical care.

https://www.privacyshield.gov/Program-Overview

https://ico.org.uk/make-a-complaint/eu-us-privacy-shield/

https://techcrunch.com/2019/10/23/eu-us-privacy-shield-passes-third-commission-health-check-but-litigation-looms/

https://techcrunch.com/2019/10/23/eu-us-privacy-shield-passes-third-commission-health-check-but-litigation-looms/



GDPR and Pseudonymization

GDPR refers to pseudonymization six times in the legislation, and defines pseudonymization as: “‘pseudonymisation’ means the processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately and is subject to technical and organisational measures to ensure that the personal data are not attributed to an identified or identifiable natural person?”.

How do organizations pseudonymize data?

1. Custom scripts: programmers write scripts to modify data fields related to personal or sensitive data and create an encrypted index for re-identification.

2. Packaged software: numerous vendors provide capabilities via their data masking, encryption, or DLP packaged software.

Here are additional resources to learn more about pseudonymization:

• NIST, “De-Identification of Personal Information”

• European Commission, GDPR regulation text, article see ‘definitions’, Articles 6, 25, 32, 40 and 89

Public Records

Public Records as Defined and Regulated by Privacy Laws

Public records refer to information collected and maintained by a governmental organization that is accessible to the general public. For example, in California, a marriage license can be public records if not otherwise stated by the couple. Public records are kept not just for record keeping, but also to help people trying to gather things like past-due child support payments, collect pension benefits, ensure the accuracy of credit reports, etc.

Public Records and Data Privacy

Public records play a vital role in government transparency and provide important information for citizens but there are costs associated with providing and maintaining this data.

The challenge of public records data have more to do with the risks to personal privacy than actual monetary costs. Public records present significant data privacy risk because criminals are able to mine these records for malicious use such as identity theft, spearfishing, and fraud. Additionally, the more these records become available online, the easier it is for thieves to access personal information.






What are examples of public records?

• Court records of civil proceedings such as divorce and breach of contract.

• Birth records and certificates.

• Criminal records and criminal proceedings regarding personal, non-civil, offenses, .

• Business records of financial performance.

• Property records of ownership and transactions.

Here are additional resources to learn more about public records:

• IAPP article, “Publicly available data under the GDPR: Main considerations”

• California Attorney General

• European Commission, GDPR regulation text (Articles 9, 14, 29, 86)

Right to be Forgotten

The Right to be Forgotten Allows Individuals to Delete Personal Data

The Right to be Forgotten (RTBF), aka the right to deletion or erasure, provides individuals the rights for the removal/deletion of their personal and sensitive data from an organization’s systems. Both GDPR and CCPA provide individuals the right for data erasure/deletion. However, these regulations differ in their requirements. Both have exemptions to RTBF primarily if the information is still needed to fulfil a transaction or other critical business and/or operation function.

How Does GDPR Address RTBF?

Article 17 of the GDPR (Right to Erasure, aka Right to be Forgotten) provides specific causes that enable an individual to request information deletion. In summary, if an individual withdraws consent, or if the information no longer has a business purpose, or if the information has been used illegally, then individuals have the right for the company to erase the information.

How Does CCPA Address RTBF?

CCPA also provides the right to delete personal data and in addition, data related to a specific household. And CCPA provides more flexibility for individuals as they can request deletion for any reason.

https://iapp.org/news/a/publicly-available-data-under-gdpr-main-considerations/

https://oag.ca.gov/consumers/general/pra




Here are additional resources to learn more about the RTBF:

• European Commission,”Can I ask a company to delete my personal information?’

• UK Information Commissioner’s Office, Right to Erasure

• Hogan and Lovell, “California Consumer Privacy Act: The Challenge Ahead – A Comparison of 10 Key Aspects of The GDPR and The CCPA”

SPAM

Spam is Controlled by Privacy Regulation with Consent Requirements

Spam refers to the bulk sending of unwanted, unsolicited emails, texts or other electronic communication. Typically, the user or consumer has not provided consent to the company or has no previous service or purchase relationship. Marketers utilize Spam as a low-cost communications vehicle to user or consumer lists with offers for products, services, and/or trials.

Spam and Privacy Laws

Privacy laws have numerous provisions to battle unwanted and unsolicited communications. The CAN-SPAM Act, GDPR and CCPA specify how companies should ensure the appropriate use of electronic communications with customers and prospects. In general, customers should provide consent for communications, have clear and obvious ways to opt-out of mailing lists, control whether their information is shared with partners and use clear, non-deceptive messages about the purpose of their message.

What are Examples of Spam Guidelines for Companies?

1. Ensure that you have obtained consent for marketing messages.

2. Be clear on the purpose and offer in communications.

3. Have obvious and immediate methods for customers to opt-out of communications.

4. Empower customers to restrict the sale and/or sharing of their information.

5. Provide customers a clear process for deleting their information.

Here are additional resources for information on Spam:

• The US Federal Trade Commission (FTC), CAN-SPAM Act

• UK Information Commissioners’ Office, article on Spam

• NIST publication on Spam controls

https://ec.europa.eu/info/law/law-topic/data-protection/reform/rights-citizens/my-rights/can-i-ask-company-delete-my-personal-data_en

https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/individual-rights/right-to-erasure/

https://www.hldataprotection.com/2018/10/articles/consumer-privacy/california-consumer-privacy-act-the-challenge-ahead-a-comparison-of-10-key-aspects-of-the-gdpr-and-the-ccpa/

https://www.hldataprotection.com/2018/10/articles/consumer-privacy/california-consumer-privacy-act-the-challenge-ahead-a-comparison-of-10-key-aspects-of-the-gdpr-and-the-ccpa/

https://www.ftc.gov/tips-advice/business-center/guidance/can-spam-act-compliance-guide-business

https://ico.org.uk/your-data-matters/online/spam-emails/

https://nvd.nist.gov/800-53/Rev4/control/SI-8



Toxic Data Combinations of Data

Toxic combinations of data can re-identify or reveal new insights about an individual

A key issue for organizations leveraging Big Data is the potential for toxic combinations of data. While many organizations will mask the identities of customers, consumers, or patients for analytic projects, combinations of other data elements may lead to unexpected toxic combinations. This is often the case with data lakes that take in a diverse mix of data sources and data source types such as structured, unstructured and semi-structured data. Data in-motion can also be a blind spot for many companies, given most organizations don’t know what data is entering and leaving their organization every day.

Toxic combinations of data are the unintentional combination of data elements that can lead to unauthorized re-identification of individuals. An example would be a dataset that provides date of birth, zip code, and gender of an individual. Based on this information, 87% of the US population can be identified. The rates may be lower for de-identified health or legal data, but organizations must exercise due diligence and due care to ensure they protect the privacy of individuals whose data is used for analytics.

What are some examples of toxic combinations of personal data?

• Age, sex and zip code are used to re-identify a person.

• Location is used to identify travel and personal interests.

• Diagnostic codes, age, sex and zip code reveal a person’s health status.

• Browsing activity and social activity reveal political and religious beliefs.

Are there tools to detect toxic data combinations?

Tools exist to help organizations understand where risks exist. Vendors like Integris Software provide analysis of data sets to understand what sensitive personal information may lead to re-identification or inferences on other private information such as political or religious beliefs.

A best practice for Big Data analytics would be the automated analysis of data sets to understand what inferences or re-identification could occur. This analysis may lead to restricting the use of certain data elements and/or further masking/anonymization of the data.

Here are additional resources to learn more about toxic combinations of personal data:

• Australian Information Commissioner, “De-identification and the Privacy Act”

• EPIC.org, Latest News of Re-Identification

https://www.oaic.gov.au/privacy/guidance-and-advice/de-identification-and-the-privacy-act/

https://epic.org/privacy/reidentification/



Transparency

Transparency Concepts Should Drive Privacy Practices and Operations

Transparency is the clear, unambiguous guidance provided to customers and users on how their personal data is used and processed by a company. With transparency, users understand why and how their personal data is collected and processed. And users have clear and simple notice on opting out of data collection, sharing, and guidance on how to request data deletion. Article 12 of the GDPR details the requirements for transparency. It emphasizes that communications and notices should be “...concise, transparent, intelligible and easily accessible form, using clear and plain language…”. The individual/data subject readily understand communications for them to be ‘transparent’.

Public awareness has grown significantly regarding transparency as privacy incidents where personal data has been used without permission have come to light (Cambridge Analytica). And now with GDPR, CCPA, Singapore PDPA, Brazilian LGPD, and other privacy regulations, transparency is required for regulatory compliance.

What are Examples of Transparency?

• Clear notification on how data will be processed.

• Simple and clear communications by the controller on privacy matters or incidents.

• Guidance on how long data will be retained.

• Information on how to lodge complaints or request actions regarding personal data.

Here are additional resources for information on Transparency:

• CCPA, IAPP Article on Transparency

• GDPR text, see Articles 5, 12, 13, 14, 26, 40, 41, 42, 43, 53 and 88

• UK Information Commissioners’ Office, article on Lawfulness, fairness and transparency

Unauthorized Data Access, Use, or Transfer

Unauthorized Data Access, Use or Transfer are the primary threats to an organization's privacy compliance

Unauthorized data access, use or transfer all refer to misuse of personal and sensitive data. Unauthorized data access occurs when a user accesses personal data that is not allowed by policy and not pertinent to their organizational responsibilities. Unauthorized data use is similar, in that a user in the organization has exceeded his permissions in using data, but can also refer to the

https://en.wikipedia.org/wiki/Cambridge_Analytica

https://iapp.org/news/a/top-5-operational-impacts-of-cacpa-part-2-transparency-and-notice-obligations/


https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/principles/lawfulness-fairness-and-transparency/



organization using personal data without the proper consent of the data subject. Unauthorized data transfer refers to information transferred to organizations who are not allowed by privacy regulations or covered by privacy shield or another appropriate binding agreement. In the case of CCPA, it could also refer to a customer’s information sale where the customer has exercised their do-not-sell right.

What are some examples of unauthorized data access, use or transfer?

• DevOps using customer data from various regions to develop and test software.

• Users from one region accessing personal data with no business purpose.

• Transfers of information to business partners that are not covered by privacy regulations, privacy shield, or some other binding agreement on the use of personal data.

• An organization using customer data for marketing purposes without the consent of the customer.

Here are additional resources to learn more about unauthorized data access, use or transfer:

• Department of Commerce, Privacy Shield Framework

• European Commission, data protection/GDPR resources


• Californians for Consumer Privacy, About the Law

• Wikipedia, California Consumer Privacy Act


Whaling

Whaling Maliciously Targets Personal Data of the Wealthy or Powerful

Whaling is a form of phishing that focuses on an individual, particularly wealthy ones or those in positions of power. It involves gathering individual information about those users that can be later utilized by the hacker.

Hackers who participate in whaling frequently portray these endeavors as "reeling in a major fish," applying a well-known similitude to the way they scour innovations for escape clauses and open doors for data theft.

https://www.privacyshield.gov/Program-Overview

https://ec.europa.eu/commission/priorities/justice-and-fundamental-rights/data-protection/2018-reform-eu-data-protection-rules_en


https://www.caprivacy.org/about

https://en.wikipedia.org/wiki/California_Consumer_Privacy_Act




The individuals who are occupied with whaling may, for instance, hack into explicit systems where these influential people work or store delicate data. They may likewise set up keylogging or other malware on a workstation related to one of these officials. There are numerous ways that hackers can deploy whaling, driving C-level or top-level in business and government to remain watchful about the likelihood of digital dangers.

As with phishing, these are practical steps to avoid Whaling:

• Use refreshed PC security apparatuses, for example, anti-virus software, spyware and firewalls.

• Never open suspicious or unknown email attachments.

• Never uncover individual data asked for by email, for example, your name or credit card number.

• Check the site's telephone number before ringing the number provided in the email.

Here are additional resources for information on Whaling:

• DigitalGuardian, “What is a whaling attack?

• Government Technology, “Beyond Spear Phishing: How to Address Whaling and More”

https://digitalguardian.com/blog/what-whaling-attack-defining-and-identifying-whaling-attacks

https://www.govtech.com/blogs/lohrmann-on-cybersecurity/beyond-spear-phishing-how-to-address-whaling-and-more.html



About Integris Software Integris Software, the global leader in data privacy automation, helps enterprises discover and control the use of sensitive data in a way that protects privacy and fuels innovation.

Privacy is now critical to an effective data protection strategy. By sitting upstream from security, Integris tells you what data is important and why so you can be precise in your InfoSec controls.

Integris works securely, at scale, no matter where sensitive data resides. You get a live map of your sensitive data where you can apply policies, surface issues, fulfill data subject access requests, and automate remediations via your broader ticketing and InfoSec ecosystem.

Regulations like GDPR and the California Consumer Privacy Act (CCPA)are triggering knee-jerk reactions as companies lock down their data for fear of misuse. With Integris, there is finally a way to use your data without fear. For more information on Integris, visit: www.integris.io or follow @Integrisio on Twitter.

Global HQ in USA 1525 4th Avenue, 5th Floor

Seattle, WA 98101

Phone 1-425-539-2145

[email protected]

Vancouver, BC Canada Office 450 Southwest Marine Drive

Vancouver, BC

V5X 0C3

Phone 1-425-539-2145

[email protected]