Written by Stephen Ragan, Principal Privacy Consultant at Wrangu
This is the age of information. That information is data created, collected, and collated at extraordinary rates. Every hour, Walmart collects 2.5 petabytes of unstructured data from 1 million customers, and a whole science has emerged to transform those raw bits of information into value.
As data collection has expanded, so have peoples’ awareness about what is collected and who owns that information. Most people today believe the data they generate about themselves is their property, and regulations have emerged to confirm this idea backed by the power of law. Right now, 10% of the world’s population is regulated under some type of legislation, and that number is predicted to grow to over 60% by 2023.
Modern organisations must therefore balance extracting value from data with privacy concerns guided by an ethics that considers each phase of the data life cycle. By doing so, organisations gain visibility and insight into the data they collect including where the data comes from, who has access to it, and what regulations need to be complied with. This drives business efficiency reducing risk while proactively positioning your organisation to adapt to evolving regulations.
Where does the Data Life Cycle Begin?
The data life cycle starts with the generation of data. We generate data in pretty much everything we do from clicking a link or watching a show to buying a cup of coffee. Data generation is not reserved to the online world. Traffic lights are designed to respond to traffic flows and automatic temperature controls respond to where you are in your house.
Under General Data Protection Regulation (GDPR), the data to be concerned about is “personal data.” “Personal data” refers to “any information relating to an identified or identifiable natural person” and refers to data that can either be directly or indirectly used to identify an individual. (Art. 4 (1))
2. Collection (Article 13)
The next step is collecting the data. At the point of collection organisations must inform data subjects of several things to satisfy the principle that personal data be processed lawfully, fairly, and in a transparent manner and that the data is collected for an explicit and legitimate purpose. The information includes:
- The identity and the contact details of the controller;
- The contact details of the Data Protection Officer;
- The purposes of the processing and the legal basis for the processing;
- The recipients or the categories of recipients of the personal data;
- How long the data will be stored;
- The existence of the right to access, request, rectify, delete, and restrict the processing of data;
- The right to withdraw consent if processing is based on it;
- The right to lodge a complaint with the supervisory authority; and
- Where applicable, that the controller intends to transfer personal data to a third country and the existence or absence of an adequacy decision.
This list ensures that data subjects are fully informed of their rights. Only then can they give consent based on a proper understanding of how and why their data is processed. Consent is the gold standard under GDPR, but there are other legal bases for the processing of data. The most notable is legitimate interest, which requires a balancing of the interest of the organisation against the fundamental rights and reasonable expectations of the data subject.
Using Data to Create Value
3. Processing (Article 4(2))
Finally, the fun stuff! After collecting the data, and recording the lawful basis for processing, you can process the data! Processing is basically anything an organisation can think of to do with the data including collecting, recording, organising, structuring, storing, retrieving, using, transmitting, erasing, and destroying the data. Go wild and employ those innovative machine learning techniques, but do not forget that your organisation must understand what it is doing to the data to legitimately get consent from the data subject.
4. Records of Processing Activity (Article 30)
Unfortunately, or fortunately, perspective matters, the supervisory authority will not take your word about what you are doing with your data. In the case of an audit on processing activities, organisations are required to maintain a record that dictates its processing activities (ROPA).
Much like specifying what information must be provided at the point of collection, GDPR also lays out what must be included in the ROPA.
The record must contain:
- The name and contact details of the controller, the controller’s representative, and the data protection officer;
- The purposes of the processing;
- A description of the categories of data subjects and of the categories of personal data;
- The categories of recipients of the personal data;
- Where applicable, transfers of personal data to a third country, whether that country has an adequacy decision, and if not the suitable safeguards;
- The retention period; and
- Where possible, a general description of the security measures.
Complying with Regulations
5. Mapping Data Flows
Have you ever misplaced your keys? I have, and I’ve wasted more time than I would like to admit looking for them. Now imagine you are trying to find that key amid a terabyte of keys. A terabyte is one million million bytes. That repetition was not a misprint. Quite frankly I am not sure how to conceive a number that big. This, 1000000000000, does the trick, but that doesn’t feel good enough.
The point is, organisations collect a lot of data and this data is often unstructured. Data mapping is like using Google, but to find the data you need, when you need it bringing order to chaos and structuring your data flow. This is important not only for your organisation to derive the most value out of your data but is also important to comply with Data Subject Rights.
6. Complying with Data Subject Rights (DSRs)
Phew! We have had a lot of lists so far, and I am glad you have made it this far. Do you remember that list of things you provided data subjects when collecting their data? In that list you told the data subjects about their rights. Those rights include the ability to withdraw consent for processing, the right to access and correct the data, the right to portable data, and the right to have their data deleted.
Those are a lot of rights, but it is a good thing you have implemented data mapping so you can find that data wherever it might be in your organisation. Failing to find all the information you collect on a data subject makes complying with DSRs and the GDPR impossible.
Data subjects may make an access request in several ways including verbally, online, by fax, or letter. To comply with a request, organisations must verify the identity of the individual making the request and respond, “without undue delay.” This means within one month of receiving the request, but the period may be extended by up to two months on account of complexity or volume of requests. This time limit again emphasises the importance of data mapping, which allows you to find all the data you hold on an individual in a timely and efficient manner.
7. Data Protection Impact Assessment (Article 35)
At this point you have collected the data and recorded the legal basis for processing activities. You know where your data is, what you are doing with it, and who has access to it. You are doing great and in the clear! Almost.
A Data Protection Impact Assessment (DPIA) is not required under GDPR in all cases. They are, however, required where processing operations are likely to result in a high risk to the rights and freedoms of a data subject. For example, if you are employing a new technology. In which case, a DPIA should be carried out prior to processing to assess the likelihood and severity of the risk.
The assessment must contain:
- A systematic description of the envisioned purpose and processing operations;
- An assessment of the necessity and proportionality of the processing operations in relation to the purposes;
- An assessment of the risks to the rights and freedoms of data subjects; and
- The measures envisioned to address the risks, including safeguards and security measures to ensure the protection of personal data and demonstrate compliance.
Where a DPIA indicates a high risk that cannot be mitigated, consultation with the supervisory authority should take place before processing the data.
Deleting Your Data
8. De-identify and Delete your Data
Finally, your organisation has made it to the end of the data life cycle. Conforming to the principle of data minimisation to limit the use of personal data to what is strictly necessary, your organisation indicated a retention limitation. When that moment arrives, it is time to delete your data. But wait! Your data is your gold. Do not throw away your gold!
New and inventive techniques have been developed to generate synthetic data. This strategy allows your organisation to derive value from its data even after it has deleted the personal information. With this new Synthetic Data solution, you generate a Synthetic Dataset based on the original dataset. After generating the Synthetic Dataset, you can delete the original dataset and continue performing analysis on the Synthetic Dataset, retaining the data intelligence without the personal data. Pretty cool.
To recap, the data life cycle traces the origins from data creation through collection and value creation all the way until deletion. Personal data, privacy, and data protection are topical issues because governments and their citizens are taking it seriously. They are doing so because the data we create tells the story of who we are. Individuals want control and agency over what is known about them and who knows it. It is vital that organisations recognize and respect this. In doing so they not only become compliant, they forge trusting relationship with their customers and consumers. GDPR might have been the first modern regulation of privacy and data protection, but it will certainly not be the last. Gain control of your data life cycle, and you will be confident about whatever may come.