Top 3 data protection program issues and how to start resolving them: #17

It's a fundamental task for any data protection professional.

The concept of ‘personal data’ is very broad, and the broadness is often not appreciated.

I personally prefer to use the term ‘data about people.’

Your compliance journey will be a rocky one if this key definition is not understood.

With a client a couple of years back, we discovered a quality issue with DPIAs.

We could see from documentation shared with us that the people tasked with performing the assessments did not grasp the broadness of ‘personal data’ in their processing context.

A common root cause of this lack of understanding is the #1 issue:

#1 Generic education

The definition mentioned in the graphic needs to be broken down and in the old WP29’s document from 2007, there’s a useful 4-step model with examples that will help facilitate the process.

The document is a good starting point, but further analysis is required.

There could be a time element involved. One minute, an item is non-personal data, and then an event occurs and the item becomes personal data.

For example, a list of IMEI numbers for a batch of new, unboxed smart phones becomes personal data once the devices are allocated to employees.

Education needs to cover the processing context.

There’ll be different contexts depending on whether it’s HR, Finance or hyper personalisation, for example.

#2 Classification of personal data

Here, we’re far from those common examples often shown in generic education: name, email, bank details, dob, etc.

Categorising personal data based on origin also throws up some interesting challenges, especially from a risk perspective.

The risks may be associated with a lack of transparency of unexpected consequences of processing.

A document was published by the IAF almost 10 years ago that covers personal data that is provided, observed, derived or inferred.

Worth a read!

#3 Unaware of proxy data

Closely related to #2 but slightly different IMHO are supposedly personal data that are proxies for sensitive categories like gender, religion, ethnicity, political views, etc.

It could be an earring, a tattoo, a headscarf.

It could be somebody's first name.

The recent CJEU case from Lithuania and the Grindr case from Norway are good examples, and some companies hastily needed to re-evaluate their classification schemes.

Depending upon your processing context, proxy data could be a significant issue you need to be aware of and address.

‍

Purpose and Means help Data Protection Leaders refresh their work focusing on business alignment and orchestration.

We’re based in Denmark, but operate globally.

If this issue resonates, book a call to discuss your requirements!