Late May is a good time for privacy regulations to come into effect. Prior to May, short days, cold weather and rain typically keep us indoors anyway, so what better to do than work on data protection? But, after May, it’s helpful to have things mostly in order to allow for more time wandering in and thinking about nature instead of data. Isn’t it?
Well (wistfully), for many data protection officers, May 25, 2018, was hardly an ending. At the IAPP, we kept working into the summer and beyond to fine-tune new affirmative opt-in consent systems for marketing communication, upgrade our cookie notice and affirmative opt-in consent tool, touch up our data processing agreements, and upgrade our vendor vetting systems to match the EU General Data Protection Regulation’s enhanced standards around data processing.
We also spent time studying ourselves to see how it really works.
Over the year, we’ve continued to learn through doing. For example, when a university requested access to data for educational purposes (helping students in a data analytics class), we accepted the challenge to observe ourselves going through the exercise of considering this research opportunity. In the end, our thorough risk analysis concluded that the risk to data subjects (and the IAPP) was too high to proceed.
The project had all the hallmarks of the right thing to do; who doesn’t want to be helpful when it comes to academic research and student education? We also intended to use only deidentified data to reduce the risk to the rights and freedoms of data subjects. And we might have used the project to ask some business questions of our datasets that, as a small company, we don’t have the internal bandwidth to explore.
But not all things are as simple as they first appear, which is why the risk analysis process is so healthy. Transferring data from our database to another firm that would deidentify and host the data, then onto students who would use pseudonymized data for research, could go without a hitch. But given the number of parties involved, and our lack of experience with these kinds of processing activities, it seemed a poor time to experiment. The upside to the IAPP and the data subjects was minimal, while the downside (exposure of the data subjects’ identities, loss of control of their data) was significant even if the likelihood of occurrence was small.
Would we have followed through on this project had it involved only U.S.-based data subjects? It’s a tough and uncomfortable question that deserves to be asked. After all, the United States does not yet have comprehensive privacy regulation in place that would govern this situation. Most companies are free to transfer personal data to whomever for whatever provided they are not in privacy-regulated industries (e.g., health care or finance) and provided they are not unfair or deceptive in their data practices. (The new California Consumer Privacy Act, of course, creates comprehensive consumer rights, including the right to object to data sales to third parties.)
I’d like to think that the IAPP would have honored GDPR-like habits of risk assessment, taking into account the purpose limitation principle, when considering sharing personal data of U.S. data subjects in the absence of the GDPR. But it cannot be doubted that the regulation has had an impact on U.S.-based organizations doing business in the EU even when it comes to how they approach the data of U.S. consumers.
For one thing, we now have someone appointed to think of these matters consistently with EU law. For another, we appreciate that the GDPR is encouraging organizations to put the data subjects themselves at the center of the inquiry and not just the needs of the company (or even academia). This is foundational to maturing into a privacy-sensitive organization.
Being the world’s largest privacy organization means people are watching how you do privacy. (Confession: It’s hot here under the spotlight!)
The biggest challenge in the past year has been responding to comprehensive data access requests.
Working closely with our IT team, we developed an automated, self-service access request system that serves most every need. Because data subjects must log in to the system, it authenticates them automatically. Plus, it allows us to put our mandatory Article 15 disclosures in one place. The tool pulls from our customer records management system (Salesforce) a record of the personal data we collect and store there (which is most of the data we have). By pushing a button, the data subject can request (via an email automatically sent to the data protection officer) all the data the IAPP has stored in our marketing database (Marketo).
Occasionally, someone requests access to their unstructured personal data — personal data stored in documents, email communication and the like — and that is much harder to find. Luckily, we are still a small company with good awareness of where our data live and (ever-improving) habits on centralized data storage and data deletion. Still, as a lawyer, this has all the hallmarks of a discovery request — only it’s not precipitated by litigation — so I confess it’s new and awkward territory.
For those who will for the first time be facing consumer data access requests under the CCPA, my advice is to get started now building automated systems when possible and human teams that can help you gather data and respond to requests in a timely manner because it takes longer and is more difficult than you might think.
This summer brings with it a fresh crop of student interns and plenty of work to do. One upcoming project is diving back into our privacy notice to ensure it is still accurate and up to date. We are also exploring our own data usage for business intelligence at the IAPP, with many departments and teams involved in this project. Privacy is a central feature of our analysis, and the GDPR will play a major role in how we analyze data uses (including guidance on profiling and the right to object to processing).
Hoping to get in a few hikes and bike rides, too.
Happy birthday, GDPR!
If you want to comment on this post, you need to login.