Introduction to data privacy
Every organisation that handles client information needs to be aware of the rules, regulations and risks associated with data privacy. For many of us, it is a topic that we are aware of, but we are unsure of what this means in the context of day to day operations in the business. For organisations that either use or provide hosted services, data privacy very quickly becomes a central topic of discussion. The uncertainty and lack of understanding that surrounds this topic tends to feed fear and scaremongering, which ultimately causes some organisations to shy away from taking advantage of the compelling business opportunities that hosted services offer.
In this article we will discuss what laws are involved in data privacy, what sorts of data need to be protected, differences between countries, and how we (SolveXia) approach these issues when working with our clients. By the end of this article we hope you, the reader, will have a clearer sense of how to navigate and manage the data privacy topic in your organisation.
What are data privacy laws?
When a person exchanges information with an organisation, this may include private or sensitive information about the individual. Medical records come to mind quickly as an example of data that you want kept private, however financial information such as salary data, tax records, debt obligations are among many examples of information that people want to keep confidential. Increasingly around the world, when an exchange of data takes place between a private citizen and an organisation, an obligation is placed on the organisation to handle and protect that information with a level of care and respect that protects this expectation of privacy.
As we move further into the internet age, the public’s understanding of how easily privacy can be lost has led to increasing calls for government to step in and place legal obligations on organisations to protect privacy. In the same way governments imposed accounting standards upon organisations to protect financial investors, they are now doing the same with respect to people’s private data. So when you hear the term data privacy laws, what is being referred to is that set of obligations that governments impose upon organisations to ensure that they handle our data with due care and diligence.
Take a simple example. If you purchase a refrigerator from an appliances store, you will likely give them your details such as credit card number, email address, phone number and delivery address. If they were to subsequently sell, or accidentally release any of these pieces of information – without your consent – they can be fined. Fines vary from $5,000 to over a million in differing jurisdictions. If on the other hand, information was released that revealed that 5 refrigerators had been sold to people in the zip/post code 1234 today – no breach has occurred and this is not illegal (although the company may wish to investigate why any data is leaking).
Does this mean data privacy laws vary by country?
Yes. Very much so. In May 2018, the European Union’s General Data Protection Regulation (GDPR) (EU) 2016/679 laws came into force. These are currently considered the strictest set of laws and obligations. You will also note that some countries have effectively no rules and regulations in place.
What does this mean for using or providing hosted services?
With the economic advantages that hosted and cloud based solutions offer, inevitably each organisation will have to look carefully at how they fulfil their data privacy obligations, yet not lock themselves out of these new technology benefits. If you are looking to use a hosted service such as Salesforce.com, Microsoft Azure, Google Apps, Amazon Web Services or Zoho – you need to plan carefully your approach to data privacy. The good news is, it can be done and is now mainstream so organisations around the world are successfully managing to reconcile their data privacy obligations with these new technology solutions.
To perform this reconciliation, we need to (a) understand what sorts of information are regulated (b) understand what the regulations require (c) understand what hosted solutions must do and must provide to be considered appropriate.
What sort of data is being regulated?
There is a concept called Personally Identifying Information (PII) – which exists in all jurisdictions, sometimes under different names. PII is a recognised term in the United States, Canada, United Kingdom, Australia and New Zealand. A summary definition of PII data is “information that can be used on its own or with other information to identify, contact, or locate a single person, or to identify an individual in context”.
In some places, like Europe, Canada, Australia and New Zealand it is also referred to as ‘Personal Information’. This has a slightly broader definition by using the words ‘reasonably ascertainable’ and somewhat expands on the US definition. The core concept is that ‘Personal Information’ is considered to be information that can be used either on its own, or in conjunction with other information items to identify an individual.
If an organisation holds PII data, about their clients, prospect, employees, supplier or anyone connected to the business, they have a legal obligation to prevent it going to another third party without the individual’s consent. By far the most common type of violation here is employees emailing spreadsheets that contains hundreds or thousands of client records.
The table below shows some examples of commonly accepted PII data items. It lists examples of data that are NOT considered to be personally identifying. It is important to keep in mind that not all data falls under the regulatory purview of PII.
What about corporate confidential data?
A common question to ask, once people first understand the legal liabilities associated with PII data, is, ‘what about corporate data – are there laws protecting this data?‘. In broad terms, the answer is no – governments do not regulate what organisations do with their own data provided it does not compromise the privacy of a citizen (we are back to PII there).
The data security policies of most organisations, however, quite naturally, protect competitive and sensitive internal information that pertains to strategy, future intentions and performance. Breaching these policies is a violation of company policy and so data security continues to be a critically important topic even if disclosure is not a breach of national law. An interesting twist on this topic is that, if a release of company information to the market would significantly influence its stock price, most OECD jurisdictions require the company to release this information publicly under frameworks of continuous disclosure laws.
The remainder of this article will focus on PII data and the GDPR regulations as this is the class of information that has the greatest legal liability attached to it and the GDPR laws governing PII data are considered to be the strictest currently in force.
Can I use a hosted solution if I am working with PII data?
Yes. The compliance regulations do not instruct organisations whether they can or cannot use hosted solutions. What they do is place obligations on an organisation to ensure that the PII data is managed securely and appropriately. This is a critically important point often missed in the fear riddled debate that occurs in the IT press and within some IT departments. Under the GDPR laws, responsibilities when working with PII data depend on whether the data is being used as a “Data Controller” or a “Data Processor”. Companies such as SolveXia can be both Data Controllers for some PII data as well as Data Processors for other PII data. Data Controller “means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data”. Data Processor “means a natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller”.
Regardless of where an organisation stores its PII data or its role, it must take appropriate measures to ensure that it is secure and protected. The organisation is responsible for protecting the privacy of the individuals with whom it interacts.
An organisation will find itself on the wrong side of the data privacy laws if an audit reveals that appropriate controls and security measures are not in place around PII data. If any PII data is leaked, lost or stolen from an organisation, the organisation may well incur penalties.
A simple example here might help: Imagine I purchase a product from Company-XYZ, and I give them my home address for delivery, and my credit card details for payment. At the point of transaction, Company-XYZ now has a responsilbity to make sure that my address and credit card details are securely protected. Now consider these scenarios:
- If Company-XYZ stores my details on a server internally – and it has appropriate security and has controlled access, then they are OK.
- If Company-XYZ stores my details on a server internally – and an internal employee downloads an Excel list of all the orders for the day, which includes my Credit card details and address, and that employee emails this list to one of their friends, or stores it on a laptop that they then lose on the train ride home – Company-XYZ has a serious problem, as they have lost PII data.
- If Company-XYZ stored my details on a server hosted by a solution provider such as salesforce.com – and salesforce.com has appropriate security and has controlled access, then they are OK.
- If Company-XYZ stored my details on a server hosted by a solution provider such as dodgybobsCRM.com – and someone from withing dodgybobsCRM.com leaks my information – Company-XYZ has a serious problem, as they have lost PII data.
These differing scenarios should show you that the key here is that Company-XYZ has a duty of care with my PII data – regardless of where they choose to store it. These are relatively simple scenarios, and there are often a lot of ‘gray areas’ that can apply – but the concept is straight forward.
- Recognise this is a difficult topic, and sometimes emotive, but that it can be resolved;
- Avoid using PII data in processes that we automate unless it is intrinsic to the task being automated;
- Base our IT infrastructure and processes on the strictest (European) standards;
- Maintain world class data security and be open with our clients about this; and
Because being in violation of the law is a scary prospect for most people, and because data privacy is not clearly understood, it is common for data privacy concerns to cause people to be fearful of using hosted services. You will notice the inclusion of the term ’emotive’ in the title of this section – and this is very deliberate. It has been our experience that there are a significant number of people who approach the topic of data security with a sense of reluctance, foreboding and sometimes plain fear. They perceive the issue to be so big, or so complex, that it is just too hard to work through. They believe “their organisation” will never allow hosted services to be used because of “data security concerns”. With the level of fear-based marketing that many IT security vendors use, maybe this should not be surprising.
These are valid concerns, however it is important to recognise that data security is not an insurmountable issue. Organisations like Salesforce, Microsoft Azure, Google, Zoho and Amazon are all growing rapidly. Their growth in the enterprise and corporate end of the market is at breakneck speed – so clearly some organisations, or more accurately, some people, are working through the issues to their satisfaction, and subsequently reaping the benefits of these new businesses and technologies.
We suggest to our clients early in getting to know them that while data security is a critically important topic – it is also addressable with confidence if we work through it methodically like we would any other business issue. This helps remove the emotion from the topic and put everyone into an analytical and problem-solving frame of mind.
Sometimes the best way to manage a risk is to avoid it. As described earlier in this article, protecting the confidentiality of PII data is one of the most important components of a data security policy, and arguably, in legal terms, the most important.
As a provider of process automation solutions, our clients are often uploading data files that have all sorts of information in them. Typically these files contain data on sales transactions, insurance policies, revenues and expenses, product inventories, service utilisations, invoices, flight data and the list goes on. This is a diverse set of information types, with the common element being that we are usually operating on sets of data where the issue is the processing of aggregate values for the business process in question. In many cases, PII data items are not necessary in the context of the results of the business process, after all, when you are doing a revenue projection or expense reconciliation, you are not working the data at the ‘individual’ level.
Consequently, one of the first things we do with clients is work to identify if any of the source data files that are to be used in a process contain PII data. If they do, then we work with them to either remove this data from the extract program that creates the file or, remove the PII data before it leaves the organisation. And this is where there is an interesting observation to be made: In order to reduce the overall data privacy risks for an organisation, it makes sense to strip out PII as close as possible to the core system or storage point that holds it. By preventing this data from finding its way into extract and reporting files, the organisation is better managing the risks associated with data privacy regardless of whether a hosted solution provider is being used or not. Remember, a report file with PII data on an employee’s laptop can be emailed outside the organisation or the entire laptop lost much more easily than a data-centre can be ‘hacked’.
This is a relatively simple step to prevent PII data getting into the source files for business process automation and has proven to manage the risks associated with using a hosted solution provider (SolveXia in this case) as well as managing the broader risks within the organisation.
As mentioned previously, Europe has some of the strictest data privacy laws in the world. The European Union’s General Data Protection Regulation (GDPR) (EU) 2016/679 laws significantly define what constitutes appropriate care and diligence when it comes to the obligations organisations face when working with PII data within the EU. SolveXia utilises Microsoft’s Azure infrastructure with appropriate data encryption, system hardening and processes to comply with these European standards.
Under GDPR SolveXia handles personal data in two capacities:
As a Data Processor – As a provider of a hosted service that allows us to process data on our clients’ behalf:
Under GDPR, we are permitted to process personal data loaded by clients based on the contractual relationship between SolveXia and these clients. This data is encrypted both within the client database and in transit. Authorised client representatives can either delete client data that they control from their SolveXia database or they can contact SolveXia to delete this data for them.
As a Data Controller – For support, sales and marketing purposes:
SolveXia collects data such as contact details and other customer relationship information for the purpose of supporting and marketing our products. SolveXia periodically emails and calls clients to inform them of changes to our service, new releases, outages, events, other information of interest and solicits feedback. We hope that our clients find this information is useful but they do have the option of opting out from these, using the link at the bottom of our emails. SolveXia utilises leading third party tools, such as CRM systems and mailing systems to store some PII such as names, phone numbers, email addresses and the content of emails and uses this information and communicate with clients, stakeholders and prospective clients. SolveXia does not sell or share any of this information outside of the organisation. The information stored on these third-party systems does not include data used in SolveXia processes. All marketing emails include the option for the recipient to unsubscribe.
Accessing your data
As a Data Controller, we will provide you on request with a copy of the data we have collected as part of our interactions with you.
We build in world-class security at all levels of our system designs. Data is encrypted both in transit and at rest. No data is stored in the client browser. Client data is not interleaved. This list goes on. We have a commitment to understanding and employing state of the art system design principles to ensure that we provide a robust and secure infrastructure for our clients. We regularly participate in security reviews run by our clients – and we submit our systems to testing by our clients. We maintain an open book policy with our clients, where we are willing to discuss and share security issues in a way that builds confidence.
Maintaining data security is not a task that has an end date. You do not reach a point where you say it is “done”. Instead, it is a continual process of review and improvement.
At SolveXia, we have realtime, daily and weekly processes that are designed to monitor, review and test our security policies. Many of these leverage the monitoring tools offered by Microsoft to check the status of the systems we utilise. For example, one of the continuous checks will notify us if any of our systems do not have the latest security patches installed. We also get an external agency who specialises in IT security to conduct penetration tests and reviews of our security every 16 weeks. We believe that, on a topic as important as data security, an organisation should engage a “second set of eyes” when it comes to reviewing their approach to data security. We conduct these external reviews every 16 weeks. Many organisations are surprised at how often we choose to conduct this external validation. We believe that there are two very strong reasons for this high frequency of external audit:
- In the world of IT security, new threats are emerging constantly. 6-12 months is a very long time in this domain – too long in our view to adequately stay on top of current threats
- IT infrastructures (including firewalls) are never as stable as we might like. Don’t assume that nothing has changed over an extended period
By constantly reviewing data security – and treating this topic as one that requires constant vigilance and attention, we believe we are treating our clients’ data and shareholders interests with the respect they deserve.
This has been a long article – but data security is a big topic. In summary, here are the key points:
- Data security is a large and complex topic
- Different countries have different data security laws – with Europe currently being the strictest region
- The particular responsibility that organisations have (in terms of legal liability) is to protect personally identifying information (PII) about their clients
- PII liability focuses on the controls, checks and balances in place around this data – not where it is stored
- At SolveXia, we choose to adhere in all locations to the European GDPR laws
- At SolveXia, we encourage clients to remove PII data from the processes we automate if this data is not required for the correct functioning of the process.
- At SolveXia we believe that maintaining data security is a continuous process of review and improvement.