The subject of data and how companies retain and use personal information always appears to be in the headlines of late, so in this edition of our monthly Jargon Buster we will be looking at some keywords you may have come across. Globally data protection regulations, like GDPR, govern data processing and security but are frequently changing; activities such as conducting a Data Protection Impact Assessment (DPIA) provides a thorough assessment of the risks associated with a data project.
Read on to discover more on legitimate processing, data retention, profiling and more.
The GDPR sets out that the processing of personal data must pertain to a set of principles. For example, it must be based on the individual's consent and must be necessary for performing a task in an agreed contract or a task for the public interest. This is why as an end-user you may see cookie banners appearing to gain your consent, and there are cookie preference panels categories "strictly necessary", and "performance" related cookies. While this may seem simple, many questions remain and would require careful thought. For example, what is the definition of "necessary"? Is data processing permitted on the grounds of the legitimate interest of third parties? Can special categories of personal data such as social security numbers be collected and processed the same way?
There has been much discussion on whether certain data is collected and processed in politics, yet not much is discussed about the length of data being retained. However, imagine the risks of someone resurfacing the embarrassing tweet that you deleted ten years ago due to a company policy of long persistent retention policy?! Data policies in many companies now contain information about data retention, however, most are limited and incredibly varied depending on the type and source of the collected data. Instagram, for example, stated that government-issued ID and search history are deleted within a defined period of time, although generally data is stored until "it is no longer necessary to provide our services and Facebook Products, or until your account is deleted - whichever comes first."
Profiling refers to any form of automated processing of personal data to evaluate a human being to analyse their behaviour, personal preferences, movements etc. Apart from the user preferences that could be collected with explicit consent, companies could collect information such as 'likes', 'comments' and length of watching videos to profile users. Cambridge Analytica profiled Facebook users particularly by analysing their behaviour towards political advertisements. Based on the information gained by profiling, they were able to gain information that users may not even know about themselves.
Anonymisation is the process of making data computationally difficult to identify data subjects. It is governed by the GDPR, with additional guidance from the European Data Protection Board. Broadly speaking the two different approaches to anonymisation are randomization and generalization. Methods such as noise addition, permutation, could add varying levels of robustness.
Data Protection Impact Assessment (DPIA)
The DPIA is a thorough assessment of data processing and the associated data protection risks in a project. Not only is this important for compliance, but it is also a good opportunity to consider whether processing has the potential for any significant social or economic disadvantage. It is required when data processing is likely to result in a high risk of harm to individuals. Several assessments must be made under the DPIA, and once risks are identified, they must be mitigated.
Need to stay on top of data protection regulations around the globe? Our new digital solution, Cross-Border Publisher: Data Protection supports your compliance and business challenges when it comes to personal data protection. Get a free trial here, or see how it works by watching a quick video demo here.