The need to protect personal information is nothing new. Headline-grabbing breaches provide constant reminders of the legal obligation companies face to keep their customer data private and secure. But in all likelihood, the measures and practices you adopted to meet that obligation were designed for an earlier, simpler time with a narrower definition of the data to be protected. You may not be ready for the changing face of data privacy.
Under US data breach laws, personal information has generally been limited to the person’s name, social security number, healthcare data, and financial data. Because the breach disclosure laws put privacy events into the public eye, the data breach laws have been the focus of many US corporate efforts around customer data privacy and security.
Recent developments, first in Europe and continuing elsewhere, show how outdated this understanding has become. As codified in the General Data Protection Regulation (GDPR), personal information encompasses social media posts and photographs as well as IP addresses, location data, and other identifiers that can be combined to identify a person. The GDPR also incorporates a special category of “sensitive data,” which includes genetic and biometric data, as well as race, nationality and union membership, requiring greater controls.
While Europe has taken the lead on expanding the definition of and controls required for personal information, other jurisdictions are likely to follow suit. In June 2018, the California State Legislature passed a bill, without opposition, that defines personal information expansively and creates comprehensive protections for consumer personal information. This includes virtually any information that can be used to identify an individual or a household (the term ‘household’ is not defined). Under this new law, Californians have gained the right to know how and why this information is being collected, and with whom it is being shared. In some situations, they may even be able to prevent companies from selling or sharing their personal information or have it deleted outright. While it is unclear at this point how other states and the US federal government will proceed, there’s no question that the more limited view of which personal information must be protected is on its way out.
When information gets personal businesses have to adapt
What’s the impact of this shifting landscape on American businesses? It is too early to know specific requirements across the US—much will depend upon the legislative processes in the states and at the federal level. But it is already clear that the focus in the US is broadening to include an array of information that can be used, whether on its own or in combination with other information, to identify an individual. Wherever your company operates, it is highly likely that you will fall under the regime of GDPR, the new California law, or similar laws.
Companies must now be more sensitive to the shifting definition of personal information, and to the accompanying rules, as they work with customer data. Even as the volume and types of customer information collected grows rapidly in the era of big data, companies must pay close attention to the way it is categorized, stored, secured, managed, and accessed. The fact that few enterprise databases are segregated between personal and non-personal information only adds to the challenge.
Accountability and control will give businesses a leg up in privacy
While technological measures will be indispensable for maintaining compliance with the new wave of privacy rules, it is also critical to understand and embrace the notion of accountability—the cornerstone of GDPR. You have to know what data you have, whose it is, where it is, how you use it, and with whom you share it. That insight can save your company from non-compliance and from added headaches in the event of a security incident. And it will add credibility with customers increasingly attuned to companies with transparent data practices.
But beyond accountability, you must also provide your customers with choices about how their personal information is collected, stored and used within your environment. For consumer applications, this may include being able to find and delete specific types of information about a person, or to place restrictions on its use, upon request.
Ultimately, expanding the definition of personal information and adopting more stringent privacy requirements will help to build trust, prevent breaches, and curb abuses. Just make sure you’re ready to address the challenges this shift presents.
Learn more about Citrix products and adherence to compliance, privacy, and security best practices.