close
Share with your friends

Data Privacy

What does it mean for Organizations?

Privacy is no longer as it used to be in the past. Traditionally, Privacy to a larger extent has been an individual responsibility however with the advancement and increased use of technology in recent times, a new phenomenon of data privacy has arisen and this has less to do with individual responsibility but more to do with responsibilities of organisations handling individual’s personal data and the individual’s rights as far as that data is concerned. Personal data is defined as information about an individual or group which means that any information relating to an individual that can be used on its own, or in combination with other information to identify an individual. 

 

What is considered private and personal data may differ according to the society and the individual however there is now some global convergence in defining what is deemed private and the various pieces of legislation in various jurisdiction is showing this. It has become key for organisations in various sectors to also be proactive in putting measures to protect private data especially in an era where cybercrimes are on the rise. The points below give an overview of what data privacy is, its impact and how organisations can ensure a healthy privacy operational environment.

 

What is Privacy and Personal Data?

Privacy is the ability of an individual or group to seclude themselves, or information about themselves (personal data), and thereby express themselves selectively.

Personal Data includes:

  • Your name
  • Race or Ethnicity
  • Email Address
  • Physical Address
  • Sexual Orientation
  • Date of Birth

Privacy and Personal Data

There are other items which may not immediately look like personal data but when combined with other data or the above, become personal data for example when one signs up for competitions or customer loyalty cards information below may be collected and become personal data when combined with the above:

  • Type of toothpaste you use
  • Type of Milk you buy
  • Number of times you buy alcohol in a month, to mention a few.

Because personal data relates to an individual, or allows identification of an individual, it needs to be carefully protected. However there is a subset of personal data known as sensitive personal data. Sensitive Personal Data includes Personal Data revealing an individual’s:

  • Race
  • Ethnicity
  • Political Opinions
  • Religious or philosophical beliefs
  • Criminal Background
  • Trade Union memberships
  • Health or sexual orientation
  • Biometric or Genetic information (according to the General Data Protection Regulation)

 This category requires extra care when handling or storing.

Data privacy in this case entails the preservation and protecting any personal information, collected by any organization, from being accessed by a third party. Personal data can be maliciously used and it is imperative for organisations to prevent this from happening as it may have long term consequences. Some of the principles of data privacy below provide guidance to ensure privacy and fair processing of personal data:

 

Principles of Data Privacy

  • Transparency

  • Being informed about the purposes for which one’s data is being collected and used is important to ensure that processing is fair.
  • Purpose
    Limitation An individual may choose not to consent providing their information where an organisation uses data not known to the individual or where it discloses an individual’s information to any one else.
  • Data Quality and Proportionality
    Personal data collected should be reasonable, kept accurate, up to date and should not be excessive in respect to the purposes for which it is collected.
  • Security and Confidentiality
    Reasonable precautions such as technical, physical and organisational security measures must be taken to secure Personal Data against accidental or unlawful destruction or loss, alteration, unauthorized disclosure or access.
  • Access, rectification, deletion and objection
    Individuals should have access to their Personal Data held by organisations, where those requests are reasonable and permitted by law or regulation. Individuals should also be able to object to the processing of their Personal Data if there are legitimate grounds relating to their circumstances.
  • Sensitive Data
    Additional measures should be put in place to protect sensitive data.
  • Data Minimisation
    Data collected and processed should not be held or further used unless this is essential for reasons that were clearly stated in advance to support data privacy

What can Organisations do to maintain Data Privacy?

Just like any other operational environment, there to be a policy governing the operations within a business. Do not share is the ideal, but not a pragmatic option for some companies hence having a Privacy Policy would be a value-add proposition for customers and for companies. However, before coming up with a policy it may be necessary to come up with a questionnaire to identify whether the business/organisation will collect, use, retain, disclose, secure or dispose of personal information and the type of information involved.

Once we have identified the personal information and forms of sharing information within and outside the organisation, a Privacy Policy is then established to cover all these aspects and it is important to note that data privacy is everyone’s responsibility. The diagram below depicts the flow of privacy from establishing a policy to implementation by business units.

At operational areas, it is imperative to map the flow of personal information in all formats, from creation or collection, until final disposition including compliance to regulatory requirements where applicable, for example, needssecure destruction or transfer to appropriate archives. From the information flow assessments, business units will have to implement controls that will reduce probabilities of information leakage.

Other solutions of ensuring data privacy include:

  • Ensuring that staff are properly trained and are aware of the potential privacy impact and appropriate privacy-protective measures to be followed
  • Creating retention periods that only keep information for as long as necessary and planning the secure disposal of information and
  • Minimising collection of certain types of personal information.

Also on home.kpmg