There are many laws and guidelines associated with the data collected by an organization. In this video, you’ll learn about legal implications associated with privacy, data responsibilities, and data inventory and retention.
Our organizations collect a massive amount of data. And there are privacy laws that probably apply to a great deal of this information. In this video, we’ll discuss some of these privacy concerns and how organizations are mandated to protect your data. In many geographies, privacy starts at the local and state level. There’s a great deal of data that’s collected by our local governments, especially information about our homes, our vehicles, and information about medical licensing.
At the national level, we have laws that protect the privacy of everyone in the country. For example, the HIPAA laws regarding health care are a very good example of regulations that affect everyone in one country. And many countries are working together to ensure privacy for all of their citizens regardless of where they live. A good example of a privacy law that affects multiple countries would be the GDPR. This stands for the General Data Protection Regulation. This is a regulation in the European Union that affects privacy for everyone who lives in the EU.
Some of the information that is protected by individuals living in these countries would be name, address, photo, email details, bank information, online social media posts, and much more. The GDPR puts the control of this data back into the user’s hands. And they decide what happens with their personal data. If someone feels that their private information needs to be removed from a website, they can simply request that removal, and the website is required to remove all of their private data.
Putting this back in the hands of the data subject gives them the right to control where their information is. We often refer to this as a right to be forgotten. The GDPR defines a data subject as any information relating to an identified or identifiable natural person. This would effectively be anyone who lives in those particular countries. So anyone who’s interested in protecting their private data, such as their name, their address, their genetic makeup, their location data, or anything else would be considered a data subject. Effectively, all of us are data subjects.
The GDPR and many other privacy laws define the perspective of data privacy from the data subject’s perspective. This is an important consideration since many privacy laws up to this point put the requirement for privacy on a third party or company instead of the individual. We’ve spoken in an earlier video about the responsibilities associated with data in an organization. But it’s worthwhile to bring this up again in the context of privacy.
We’ll start with the concept of a data owner. This would be an individual who has overall responsibility of the data. For example, if you’re the vice president of sales, you are the data owner for any customer relationship data. And if you are the treasurer of the company, you would be the data owner for all of the financial information associated with that organization. Many organizations also have data controllers and data processors. The data controller is responsible for managing how this data is used. And the data processor is the person who’s actually using the data.
The data processor may be internal within your organization, or you may be using a third party to process that data. For example, we can look at data and how it’s used between a payroll department and a payroll company. The payroll department would be the data controller. They’re the ones that define how much people get paid and when they get paid. They would then hand that information off to a third party payroll company that actually processes everyone’s paychecks every week.
This relationship means that there’s a great deal of private and personal data that’s being transferred between the data controller and the data processor. And in the case of a third party vendor, a company might use a non-disclosure agreement to ensure that all of that information remains private.
If a company makes physical products, they tend to have an inventory of those products. The same thing applies to data. A company that stores data has effectively a data inventory. This data inventory is a listing of all of the data that this company collects and stores in their organization. This would include the owner of the data, how often the information is updated, and the format of that data. To properly understand the privacy implications of this data inventory, we need to understand how the data is used.
Internally, we might use this data for collaboration between different projects. IT security may use this data. And we may perform data quality checks on all of the data that we store. When sharing data with a third party that’s not part of our organization, we need to be sure that we’re following all legal guidelines for privacy. So we would need to understand what our data inventory is, understand what type of data that might be, and then make sure that if we’re sharing that information, it all falls within the realm of existing laws and regulations.