Information Governance: Challenges Of Big Data Privacy Compliance
Why Read This Document
As it becomes the norm for organizations to utilize big data, requirements for the protection of personally identifiable information (PII) cannot be forfeited. This paper addresses the challenges and provides recommendations for remaining compliant with rules and regulations pertaining to PII. In doing so it describes the need for identification of PII data, the corresponding privacy rules and regulations, the challenges faced in compliancy, and the use of Information Governance to successfully navigate the PII through the business while maintaining compliance.
Recognizing, preparing, and incorporating the PII data life cycle into an information governance program allows businesses the capability to successfully leverage their PII data, identify areas that require enhanced security, and remain in compliance with laws and regulations that apply to PII
Examples of PII include:
- Social Security Number
- Passport Number
- Driver’s License
- Sensitive financial information, such as
payment card data (PCI)
- Sensitive medical Information (personal
health information PHI)
Today, more companies than ever use “big data.” This data can vary widely, come from numerous sources, both internal and external, and may include data that is monetized. As recently stated by Daniel Gillick, the Senior Research Scientist at Google, “Big data represents a cultural shift in which more and more decisions are made by algorithms with transparent logic, operating on documented immutable evidence.” As expressed, businesses can use their data to make better decisions, but can also add real value to their company. The data can allow for predictive modeling, target specific consumers, optimize business processes, identify bad actors and even streamline supply chains. Big data can have altruistic contributions too, such as advancing scientific research, improving security, improving infrastructure and utility processes, and more.
With the accumulation of data, businesses are now responsible to recognize when they have, or are going to, collect “personally identifiable information” (PII). PII is information specifically about an individual that can reveal or trace their identity, associate them with private information, or distinguish them from other people. PII data can be subject to laws by federal agencies, individual states, other countries, or regulations issued by specific industry organizations.
The use of Information Governance (IG) should be compulsory in the management of a PII data life cycle, as well as for the strategy to balance the risk and value elements of information created and received by an organization. PII touches almost all aspects of any business and the business must have the ability to recognize it; collect, maintain and utilize it safely and legally; store it and dispose of it securely; and access it for legal, customer or citizen request reasons.
avoid any disruptions in their international trading and business transactions, as well as protection of their citizen’s data, the laws and rules have been in a constant state of flux. For example, until recently, South Africa had no data protection regulations, however, 2014 marked the rollout of their Data Protection Act. The European Union (EU) is close to finalizing their new “General Data Protection Regulation” (GDPR) which will be applicable to anyone that controls or processes data of any EU citizen, regardless of their location, and recently, multiple countries have agreed to follow standards under APEC’s Cross Border Privacy Rules (CBPR) including the United States.
As stated previously, incorporating the requirements related to PII data into an Information Governance program gives the business the capability of meeting their operational and regulatory requirements. The business needs to achieve the “big picture” in order to address all related areas. A taxonomy approach, meaning a hierarchical classification of the elements involved, will help to achieve this goal, particularly with global big data. Of course, in today’s corporate environment and with the use of data across several departments or business lines of the company, flexibility in the hierarchy must be accounted for.
The location of the business and the location of the data subjects whose PII is collected are the main factors in determining all other requirements. Laws and regulations regarding PII vary widely between countries, states, provinces and industries. That is to say, in one country or state the location of the Data Controller may be a determining factor, while in another it relies on the location of the citizens whose PII is collected. For example, in the United States, the state that the Data Controller and/or Data Processor is in may determine data protection or data disposal laws; however, if a data breach were to happen, applicable laws are based on the location of the affected individuals. This could mean there are multiple states expecting their own rules to be followed when reporting the breach or notifying their residents.
Iron Mountain describes IG as “the multi-disciplinary enterprise accountability framework that ensures the appropriate behavior in the valuation of information and
the definition of the roles, policies, processes, and metrics required to manage the information lifecycle, including
defensible disposition.” The diagram above illustrates the functional areas that are, or should be, responsible for
the overall governance of information in an enterprise. Managing PII may focus the needs to more specific areas, depending on the type of business and PII collected, but still requires involvement of all the areas shown.
The prevalent challenge for big data is the ability to properly identify and classify the PII data, determine what rules and regulations apply, and then ensure compliancy.
If the organization is global, another set of challenges will arise as a determination needs to be made on what laws from other countries, unions or regions, or associations
apply. Due to the rush by these governing entities to once the location and overall applicable laws and regulations have been identified, the type or classification of the business determines further legal requirements. A determination on what is considered PII must be ascertained and the life cycle of the PII established in order to meet requirements. That life cycle is then applied to the organization while still utilizing and gaining the wanted benefits from the PII collected.
The business must determine the appropriate tools, infrastructure, management and workforce required to control and regulate the data throughout its lifecycle. If the organization does not already have an Information Governance program, it is recommended, as it will guide the business in determining those needs and allow the entirety of the PII data’s requirements to be incorporated.
Information Governance has more uses than just managing PII. It can be used to establish a strategy for critical or proprietary data an organization must control such as product designs, contracts, account details, and processes. The data may be mined for its value, but all the requirements of compliant management of that data must also be realized and configured within the workings of the company. Questions to ask about the data include:
- What systems are needed to access, use and manage it?
- How and where is it obtained?
- Are there legal requirements?
- How is it maintained?
- Is it secure from internal and external threats?
- Will it be sold or shared with a third party?
- Will it be retained for possible future use or disposed of
when no longer required?
- What risks are involved?
The same questions will be asked when evaluating PII; it is a life cycle of data. Using a taxonomy approach, these questions should be answered for each aspect of the PII and the path to make that happen established. Use the Information Governance diagram shown earlier to assist in mapping the PII through its cycle as it moves through the organization.
The following are sets of questions and information to helpmap the requirements and data life cycle of PII.
Location and Classification
As described previously, the location of the Data Controller, Data Processor, and data subjects can all play a part in rules and regulations applicable to the PII. Ask the following questions when determining what laws are applicable:
- Where is the Data Controller (the entity that owns the PII) located?
- Is the data utilized by the Controller in additional locations?
- Is the data processed by a different entity (a Data Processor) or shared with a third party? Where is their location?
- Where are the data subjects located?
- Will the PII of the data subjects stay in their location or be sent elsewhere? Out of country?
Organizations may have additional regulations to follow based on the type of business they are. A business industry classification is a way of identifying a business by its main activity. For the purpose of PII rules and regulations, this is an overall classification. Some examples include:
- Financial and Banking
- On-line activities/applications
- Payment card processing
- Is the business the Controller of the data, or a Processor
or third party?
- Is the business any type of governmental agency, state or province agency?
- What type of data, exactly, does the business collect or receive? Start with large categories and then classify each category of the information.
- What types of data, specifically, are in each category?
— Is any of the information sensitive PII? (This will be described in the relevant law if it applies. It is usually considered medical information, religion, racial or ethnic origin, etc.)
— Can any of the data be considered PII or sensitive PII once combined?
(A common factor overlooked is data that is collected from different
sources as non-PII or even anonymous data, but once put together, the
data may need to be reclassified.)
Related Privacy Rules and Regulations
In the U.S., there is no single, comprehensive national law regulating the various elements of personal data and its use. .United States laws are tailored to specific industries, types of information, or a particular subject. Federal laws, state laws, and industry regulations can overlap or preempt one another which necessitates knowing the business’ industry classification.
Depending on the classification of the business and what types of PII are collected, what agencies may have rules applicable to the business?
In the U.S., some defining federal agencies include, but are not limited to:
- Federal Trade Commission (FTC)
- Office for Civil Rights in the Department of Health and Human Services (HHS)
- Equal Employment Opportunity Commission (EEOC)
- Department of Education (DOE)
- Consumer Financial Protection Bureau (CFPB)
- Federal Communications Commission (FCC)
- Department of Homeland Security (DHS)
- Internal Revenue Service (IRS) (and Financial Crimes Enforcement Network)
- Department of Transportation (DOT)
- Some of these agencies have rules that can be preempted by state legislation enacting stricter regulations.
- Check every state that the business is located in, and the states where the data subjects are located.
- If data is sent or received out-of-country, a determination of applicable laws is required. The country may have one comprehensive law or be specifically tailored such as in the United States. Remember that the country might also be part of additional organizations that impact the applicable regulations. For example, a business located in California that wants to do business in Japan may need to comply with California’s laws, Japan’s “Act on the Protection of Personal Information (‘APPI’)” laws, conditions established through the Asia Pacific Economic Council (APEC)’s Cross Border Privacy Rules (CBPR) that both the US and Japan have agreed to, plus any additional laws specific to the location or business classification.
- Many times, laws will differentiate between the Controller, the Processor, or possible other third parties.
- Different laws may apply if you are a governmental agency, state agency, or other regulatory groups.
Common elements of data protection laws may involve notice, consent, retention (transient v. long term), processing/third parties, transferability, data subject requests, erasure, disposal, breach reporting, and consumer notification requirements.
Depending on applicable laws, each of these may have a vital role in how a business collects data and then retains, distributes, or disposes of it. Many governments and agencies, including those of our own, have been taking a more active role in confirming compliance and issuing penalties accordingly.
Following is a description of PII elements that need to be addressed and then configured into how the organization will achieve compliance with them.
- The California Online Privacy Protection Act (CalOPPA) applies to any business that may have an app or website that may target citizens of California.
Other notices may require the user to specifically “opt-in.”
Take away: Know not only the laws of the business’s location, but those for the location of the data subjects as well. Notices may need to explain the type of data or information you collect, how you collect it and how you intend to use it. In cases of “opt-in” notices, the business may need to store the approvals should they be audited or investigated. Laws may dictate the length of time to hold approval.
Much like “notice,” consent is obtaining the permission of the data subject in order to use their data. Consent is a requirement under HIPAA in the U.S. and in obtaining and using credit reports (opt-in), but in almost all other cases, an opt-out system is used, in such that if the data subject does not object or “uncheck” a box, their consent is assumed.
In the EU and other countries, only an opt-in or unambiguous consent is permitted. The EU’s upcoming GDPR proposes “explicit” consent in almost all cases. In addition, the data subject may withdraw their consent at a later date and/or request that the information captured be transferred to a different entity, as such may be the case with insurance companies..
Additionally, if the Controller passes the data to a Processor or third party that may utilize the data for purposes other than those that were originally consented to, additional consent may be necessary.
Take Away: Determine if consent is required, how it is to be received per regulations, and if that consent must be stored to prove compliance. Determine if consent must be explicit. If consent may be withdrawn, the business’ system capabilities must account for not only the withdrawal, but removal or transfer of the data that was captured with the consent originally. Make sure the consent matches the use of the data.
Data Subject Requests with Transferability and Erasure
Many laws and regulations, both in the U.S. and abroad, allow for a data subject to request a copy of the records or information that have been collected specifically about them. The request generally must be in writing and proof of identity established. Most companies are allowed to charge a nominal fee. Some laws, particularly in the EU, have established time limits for the provision of the information to the data subject. If the Controller is unable to provide the data subject with the information, they must issue a written letter giving the reasoning for the decision. The data subject generally has the right to take the matter to court if not satisfied with the response. The provision of the information may also fall under a Freedom of Information Act if such has been passed for agencies in a governmental capacity.
Over the past several years, particularly due to court cases in the EU involving Facebook and Google, the “right to be forgotten” has been incorporated into upcoming regulations. For example, in the upcoming EU GDPR, it not only allows for a data subject to receive a copy of their records, but to withdraw their consent and request that all records in relation to them be erased. In some cases, such as with insurance companies, the data subject may possibly request their information to be transferred to a new carrier.
Take Away: Businesses need to have the capability to not only track consent, but to retrieve the corresponding data and provide it to the data subject, erase the data, or transfer it.
Retention (Transient V. Long Term)
In the past, retaining data for long periods of time past its retention rule requirement was not of issue. Today, however, with breaches making headlines every day, the way personal data is stored and the length of time is dictated in any number of laws.
Laws of this manner are being made at country, federal agency, and state levels, and could be divided under two major categories: “communications” data which could be considered traffic monitoring, telephone calls, email messages, on-line monitoring, etc., and then everything else which we will call “regular” data.
The U.S. does not currently have a blanket retention law, although numerous bills have been put through Congress in this regard. Currently, individual communication companies may delete or retain personal data as they see fit; however, companies that do maintain communications data have been mandated on a consistent basis to turn the information over to government agencies under court order. This issue is still under debate and any company that may have communications data should pay particular attention to this area.
Global businesses need to investigate each of their locations for retention laws as they vary and are constantly changing. Countries have issued blanket retention laws that range from 6 months to over two years, such as Australia, New Zealand, and the EU, but not everyone agrees with them. The EU issued a Data Retention Directive in 2006, which was adopted by multiple member states; however, some member states have declared it unlawful, such as Ireland and Netherlands.
Individual states and regulatory agencies also issue laws regarding retention of data in relation to PII and sensitive PII. Although most retention laws simply state the data should only be retained for the amount of time it is relevant to the processing and use of the data, other laws are specific. Arizona’s statutes, for example, give detailed instructions on computer system security requirements, encryption, and length of retention for records separated by government, medical, court, historical, etc.
Take Away: Businesses need to investigate retention laws in all of their locations to ensure compliance, while keeping in mind their business industry classification may dictate which rules to follow.
Safe and effective data retention services can assist companies in effectively meeting the requirements and providing backup or replication services to avoid disaster.
As with “retention,” a multitude of laws have been passed globally regarding the manner in which disposal or destruction of data takes place. Over 30 U.S. states have passed disposal laws that address both electronic and/or paper data records. The state laws do not always apply to specialty areas which may have their own requirements such as HIPAA for medical records or Gramm–Leach– Bliley Act (GLBA) for financial records.
The laws may also address the use of third party vendors qualified to complete the disposal for businesses, and may require the business to first investigate and confirm that the third party is commendable to use. Many third party disposal vendors are knowledgeable of the laws and may help a business to meet the requirements necessary.
Take Away: Determine what disposal laws affect the business. If the business is wary of completing the disposal themselves, they may hire competent third party vendors.
Breach Reporting and Consumer Notification
Globally, breach reporting and consumer notification laws are being passed on a consistent basis. These laws involve a number of steps, reporting authorities, time limits, and specific information required to be incorporated in notification letters. Like a fingerprint, the rules have varied in every country or state, and careful attention must be paid to each detail.
When investigating which laws are applicable to the business, keep the following in mind:
- What constitutes a breach? Address applicability to paper or electronic records or both, what constitutes PII, encryption requirements and harm thresholds
- Who does it need reported to? What are the thresholds for reporting? Are there time limits?
- Who is responsible to report?
- What is required to be in the notification?
- Are there time limits?
- Are there exceptions?
- Does the business need to supply a special service?
- How the notice may be sent.
The breach and notification requirements are not always applicable based solely on the business’ location. For example, if the business is located Oregon, but has customers in California and Washington, they need to follow the laws and give notice according to the laws of that state. In the EU, the upcoming GDPR specifies requirements, but each member state has stricter laws.
Take Away: Investigate the laws applicable to every business location, in addition to the location of the business’ customers to determine requirements.
Many businesses that own and control the data (Data Controller), utilize other companies to hold or process the data (known as Processors), or the Controller may share the data with third parties. In almost all cases, the Data Controller is ultimately responsible for the safety of the personal data, and if necessary, for breach reporting and consumer notification. This is true in the U.S. and globally.
A business, (either as the Controller, Processor or third party), should be aware of laws requiring the following, and determine who is ultimately responsible:
- Obligation to protect or guarantee protection of PII data within a written contract;
- Consent, transferability, erasure, retention, disposal, and other elements of PII data life cycle management;
- Breach reporting and consumer notification; and
- Allowance of governmental agencies to obtain the PII under court order.
Take Away: It is advisable to thoroughly spell out the requirements and obligations per the applicable laws for each business entity involved and bind them to those requirements in a written contractual agreement.
Chief Privacy Officer
The requirement for a Chief Privacy Officer (CPO) has become prevalent in many in countries. This position is also referred to as Compliance Officer, Data Protection Officer, Chief Privacy Officer, and so on. This position is responsible to examine, evaluate, and investigate conformity with laws and regulations, institute privacy policies and procedures and ensure employees follow them, perform analysis activities necessary for risk assessment, and obtain permit and authorizations as necessary for business. The CPO is the main contact in any privacy related issue and work closely with IT personnel.
Many companies have given “privacy” concerns to their IT departments; however, most IT technicians are trained to focus on the security for privacy, not the laws and regulations that are applicable to PII data.
The upcoming EU GDPR may require a Data Protection Officer be assigned if the company meets certain criteria. It is underdetermined at this time what that exact criteria is, but it has ranged from the number of employees (250) to the number of data subjects a business processes information on (5000).
Take Away: Regardless of a CPO requirement by law, business’ today would greatly benefit from this position. Rules and regulations are complex and should be handled by someone trained to do so.
Challenges facing big data in relation to laws and regulations issued for the protection of PII are many and are applicable to countries around the globe. Each enterprise must determine what classification of business they fit into and ensure they address laws that have been issued at a federal, state, and industry level, in addition to any other countries they may do business in.
Once the business knows which laws are applicable, they need to bring their business into compliance and then maintain that compliance. Compliance can be achieved using Information Governance to ensure that PII data and the compliance documentation that goes with it is not lost within their own system. Systems must be versatile in order meet demands of data subjects and regulatory agencies.
Businesses should establish policies and procedures, and integrate best practices to ensure continued compliance. Employees should be trained on how to recognize PII and the importance of confidentiality and handling of PII.
In addition to IT staff, the hiring of a CPO should be strongly considered to assist the business in remaining on top of new laws, ensuring compliance throughout the company, and as a main point of contact when trying to obtain permits and approvals, dealing with data subject requests, and answering to the governmental agencies that may request audits or additional information.
If a business requires assistance with maintaining accessibility, security, and retention requirements, they should consider a competent third party accustomed to working with big data and Fortune 1000 companies.
With the right information strategy and plan of action, coupled with plans to remain compliant in the future, organizations will be able to collect and mine their information for value while protecting the personally identifiable information of their data subjects.