Intro & Overview - Data Privacy Program Components

An informative guide on privacy framework components for proactive program management

Introduction

In today's digital age, effective data privacy management is more than a compliance requirement, it’s a cornerstone of trust and security in every organization. This guide is designed to demystify the data privacy framework for senior leaders who are not privacy professionals. By understanding the basic elements of this framework, you will be empowered to enhance your organization's privacy practices, ensuring readiness for audits and regulatory inquiries, such as those from GDPR. This guide focuses not just on compliance but on proactive management against potential data breaches, thus safeguarding your organization from significant financial penalties and reputational damage.

Objective

The objective of this document is to impart essential "tidbits of knowledge" that explain the "why" behind the "what" in your data privacy activities. Constructed from recurring themes in GRC consulting dialogues with customers, each section delivers practical, easily digestible insights crucial for navigating the complexities of data privacy across any regulatory framework. This guide helps ensure that your information privacy management program is robust and fully operational, to help mitigate risks associated with monetary costs and the negative impacts of data breaches or compliance failures, to help maintain the overall integrity and reputation of your organization.

Overview of Sections

1. Actors and Roles: Outlines the different stakeholders in data privacy and their responsibilities.
2. Interactions: Describes how these actors interact within the framework of data privacy.
3. Recognizing PII: Explains how to identify Personally Identifiable Information (PII) within your organization.
4. Privacy Safeguarding Requirements: Discusses the various factors influencing how privacy should be safeguarded, including legal, regulatory, and business considerations.

By the end of this guide, you will have a clear understanding of each component of the privacy framework and how it applies to your role as a leader within your organization. This knowledge will enable you to oversee and support privacy initiatives that align with both regulatory requirements and strategic business goals.

---

1. Actors and Roles in Data Privacy

Understanding who is involved in the handling of Personally Identifiable Information (PII) is key to managing data privacy effectively within your organization. This section breaks down the various roles to help you grasp their responsibilities clearly and practically, ensuring you can oversee and engage with these processes knowledgeably.

PII Principals: The “Data Subjects”

• Who They Are: Individuals whose data is being processed. This could be anyone from an employee in your payroll system to a customer whose details are stored for transactions.
• What They Do: Provide their personal information for processing and, unless legally specified otherwise, control how their data should be used through their consent.
• Why It Matters: Recognizing Data Subjects helps ensure that their data is handled respectfully and in compliance with their preferences and rights.

PII Controllers: The Decision Makers

• Who They Are: Entities (like your company) that determine why and how personal data is processed.
• What They Do: Make decisions about data handling practices and are responsible for ensuring these practices adhere to privacy laws and principles. This includes evaluating the sensitivity of the data and implementing appropriate safeguards.
• Why It Matters: Controllers are crucial because they set the privacy standards and practices for your organization, impacting how trustfully your business is viewed by external parties and regulators.

PII Processors: The Handlers

• Who They Are: Often third-party service providers who process personal data on behalf of controllers.
• What They Do: Execute data processing tasks as directed by controllers, ensuring that every action meets the stipulated privacy requirements.
• Why It Matters: Processors must be chosen carefully and managed effectively, as they directly handle the data operations tasked by controllers, influencing the overall security and compliance of data processing.

Third Parties: The External Controllers

• Who They Are: Any external entities that receive personal data from controllers or processors and then use it under their own management.
• What They Do: Assume control over the received data, becoming responsible for its handling according to their own privacy policies and practices.
• Why It Matters: When third parties receive data, they become new controllers of this information, which requires careful management to ensure ongoing compliance and protection under new governance.

2. Interactions Among Data Privacy Actors

Understanding how Personally Identifiable Information (PII) flows between different actors, such as data subjects, controllers, processors, and third parties, is essential for managing data privacy effectively. This section explains the various interaction scenarios, providing clarity on each actor's role in the processing and transfer of PII.

Legal Distinctions and Responsibilities

It is crucial to distinguish between PII processors and third parties because the legal control of PII remains with the PII controller when PII is sent to a processor. In contrast, a third party receiving PII can become a PII controller itself, taking full legal responsibility for the data. For example, if a third party decides to transfer received PII to another entity, it acts as a PII controller, assuming all associated duties and responsibilities.

Possible Flows of PII Among the Data Subject, PII Controller, PII Processor, and a Third Party

This table helps visualize the interactions and responsibilities of different data privacy actors in various common scenarios, aiding in understanding how PII flows within and outside the organization.

3. Recognizing PII for Data Classification and Handling

Understanding what constitutes Personally Identifiable Information (PII) is fundamental to effectively managing data privacy and ensuring compliance with relevant regulations. This section explains the various aspects that help determine whether information should be classified as PII, providing leaders with the knowledge to make informed decisions about data handling.

General Principles

To determine if a person could be identified from the information your organization holds, consider all practical ways this data might be used by your organization or any other party with access to it. Supporting mechanisms in Information and Communications Technology (ICT) systems should alert individuals about their data being processed and offer them control over its dissemination.

Identifiers

PII is often directly linked to identifiers that clearly point to an individual:

• Explicit Identifiers: Such as social security numbers, passport numbers, or account numbers that directly refer to a person.
• Indirect Identifiers: Including elements like geographical locations or telephone numbers, which may also establish a person's identity when linked with other data.

Distinguishing Characteristics

Not all PII is tied to obvious identifiers. Information may be classified as PII if it includes characteristics that uniquely identify an individual:

• Biometric Data: Unique physical characteristics, such as fingerprints or retina scans, are clear examples of PII.
• Contextual Identifiers: Information like a person’s name might not uniquely identify them globally but could do so within a more confined setting, such as within a particular company or community.

Examples of attributes that can be used to identify natural persons. These examples are only for informative purposes: 

1. Age or special needs of vulnerable natural persons
2. Allegations of criminal conduct
3. Any information collected during health services
4. Bank account or credit card number
5. Biometric identifier
6. Credit card statements
7. Criminal convictions or committed offenses
8. Criminal investigation reports
9. Customer number
10. Date of birth
11. Diagnostic health information
12. Disabilities
13. Doctor bills
14. Employees’ salaries and human resources files
15. Financial profile
16. Gender
17. GPS position
18. GPS trajectories
19. Home address
20. IP address
21. Location derived from telecommunications systems
22. Medical history
23. Name
24. National identifiers (e.g. passport number)
25. Personal email address
26. Personal identification numbers (PIN) or passwords
27. Personal interests derived from tracking use of internet websites
28. Personal or behavioral profile
29. Personal telephone number
30. Photograph or video identifiable to a natural person
31. Product and service preferences
32. Racial or ethnic origin
33. Religious or philosophical beliefs
34. Sexual orientation
35. Trade-union membership
36. Utility bills

Combination of Attributes

A single piece of data might not always be PII, but a combination of several non-unique data points can become PII:

• Composite Identifiers: The aggregation of attributes such as age, profession, and gender could uniquely identify someone in a specific context, making this combination PII.

Pseudonymous Data

Pseudonymization is a process where identifying fields within a data set are replaced with artificial identifiers or pseudonyms:

• Limited Identifiability: Although pseudonymization reduces the linkability of data to an individual without additional information, it still requires careful handling as it retains potential linkability.

Metadata and Unsolicited PII

• Metadata: Information stored in ICT systems not immediately visible, like document metadata containing user details, needs careful consideration as PII.

• Unsolicited Information: Information not explicitly requested but received (e.g., through an unsolicited email) must be managed with privacy considerations to avoid unintended data collection.

Sensitive PII

Understanding what is considered sensitive PII is crucial due to its potential impact on privacy:

• Inferred Sensitive Information: Certain data, like medical prescriptions, might reveal sensitive information about a person’s health or other personal attributes.
• Regulatory Definitions: Jurisdictions may have specific definitions and handling requirements for sensitive PII, influencing how this data should be processed and protected.

4. Privacy Safeguarding Requirements

Protecting Personally Identifiable Information (PII) is not just about compliance; it's a multifaceted responsibility that encompasses legal, contractual, business, and personal aspects. This section provides an overview of the different factors that influence the privacy safeguarding requirements relevant to an organization or any privacy stakeholder processing PII. Understanding these requirements helps leaders ensure their organizations not only comply with laws but also uphold a standard of ethical responsibility and maintain public trust.

General Principles

Organizations protect PII for several key reasons:

• Privacy Protection: Safeguarding the personal privacy of PII principals.

• Legal Compliance: Adhering to applicable legal and regulatory frameworks.
• Corporate Responsibility: Upholding ethical standards and corporate governance.
• Consumer Trust: Building and maintaining trust with customers and clients.

Aspects of PII Processing

Privacy safeguarding requirements encompass various aspects of data management:

• Collection and Retention: Ensuring that PII is collected and stored in compliance with privacy principles and regulations.
• Transfer to Third Parties: Managing how PII is shared with other entities and under what conditions.
• Contractual Relationships: Understanding agreements that dictate terms between PII controllers, processors, and third parties.
• International Transfers: Addressing additional complexities when PII crosses national boundaries.

Design and Implementation

Before implementing any ICT system that processes PII, it's essential to identify all relevant privacy safeguarding requirements. This proactive approach ensures that any new or substantially modified system addresses privacy implications from the outset, aligning with broader risk management strategies.

Risk Management in Privacy

Privacy risk management is a critical part of organizational risk control processes, involving:

• Establishing Context: Understanding the technical and operational environment where PII is processed.
• Risk Assessment: Identifying and evaluating risks that could negatively affect PII principals.
• Risk Treatment: Implementing privacy controls to mitigate identified risks.
• Communication and Consultation: Engaging with interested parties to refine risk management processes.
• Monitoring and Review: Continuously tracking risks and improving privacy controls.

Legal and Regulatory Factors

• Sources: Privacy laws (international, national, local), regulations, judicial decisions, and labor agreements.
• Implications: PII controllers must work with legal experts to ensure full compliance and proactive engagement in privacy safeguarding.

Contractual Factors

• Agreements: Contractual obligations stemming from business relationships dictate specific privacy requirements.
• Company Policies: Internal policies and corporate rules often establish baseline privacy standards.

Business Factors

• Application-Specific Needs: The type of business and the context of PII use influence the privacy safeguards needed.
• Industry Practices: Sector-specific guidelines and standards inform tailored privacy approaches.

Other Influencing Factors

• Individual Preferences: Understanding the privacy expectations and concerns of PII principals is crucial. Systems should accommodate, as far as possible, individual preferences for how their PII is managed.
• Technical Standards: Adherence to voluntary standards and internal controls can also shape privacy safeguards.