Discover the Facets of Information Governance: Privacy

November 5, 2018


GDPR and privacy


Most of us don’t go to the library to find information anymore. We surf the web. We don’t shop in stores as much as we used to; we buy online. Most of us carry connected devices that are able to record very personal data about our habits, location, and more. Even my grandmother knows how to use a Smartphone. Knowingly and unknowingly, we make private information available, in addition to the kind of data that has traditionally been available through our healthcare records or bank accounts. Privacy is an increasing concern. New laws like the EU’s GDPR are a reaction to all these changes, trying to fill in huge gaps in existing data privacy laws to reflect the current reality. In this post, we’ll explore another facet of Information Governance: Privacy.


Download GDPR wallchart


The limits of data collection

The digitization of our daily lives has created an incredible opportunity for companies to get to know their customers better. Crunching data is one of the biggest priorities for most organizations. With this opportunity comes a major responsibility. Regulations are being put in place to protect us, and most of them are based on a few key principles.

  • No entity should collect information without a clearly communicated purpose

  • People have to give consent for their data to be processed

  • People should have the ability to review information about them

  • Information collected should be accurate and up-to-date

  • Information collected should be deleted if it no longer serves the purpose it was collected for 

Even if it seems like a lot to consider for organizations collecting information, it is still not enough. Some of the regulations protecting us are decades old and not up to the task of protecting our privacy in today’s connected environment.


Data privacy pioneers

To protect data privacy, regulations have been enacted and later amended over the last decade to stay relevant. Regulations such as:

  • The Health Insurance Portability and Accountability Act, or HIPAA, enacted in 1986, protects personal information privacy included in healthcare records of people treated in the US.

  • The Gramm-Leach-Bliley Act, or GLBA, enacted in 1999 protects personal information privacy for US financial services consumers.

  • The Canadian Personal Information Protection and Electronic Document Act, or PIPEDA, enacted in 2000 protects personal information privacy for Canadian residents.


Modernizing data privacy

More recently, regulations that fit our modern environment have been put in place. Including:

  • The European Union General Data Protection Regulation, or EU GDPR, enacted in 2018 protects personal information privacy for EU residents.

  • The United Kingdom Data Protection Act enacted in 2018 protects personal information privacy for UK residents.

  • The California Consumer Privacy Act, or CCPA, enacted in 2018 protects personal information privacy for California residents.


GDPR enforcing the right to be forgotten

GDPR goes a step further than previous data privacy laws by enforcing the right to be forgotten. Data subjects not only have the right to review information about themselves but also to delete it and to choose to be excluded from further data collection. In order to achieve that, organizations can’t just pile up information everywhere with no way to find it (Check out our Data Audit Worksheet). If Jane Doe requests to be forgotten, her data needs to be deleted. The bit that say she likes mint ice cream can’t be left out. Because even if you can’t find it, supervisory authorities might. 


Why is Privacy a facet of Information Governance?

Privacy is a facet of Information Governance because as it’s regulated, and activities performed to achieve it reduce risks linked to information. Good Information Governance practices also address privacy as it gives visibility and control over who has access to what. The search and content management of unstructured data repositories is streamlined. It also improves the governance of data, which results in structured information being accurately labeled.   


Why worry when you’ve got nothing to hide?

It’s easy to understand why the privacy of information such as healthcare and criminal records are important for individuals. Releasing this information into the public sphere could be damaging for careers, relationships, and more. Other things like geolocation data is a bit trickier. If you have nothing to hide, why worry? It’s just that not regulating the processing of geolocation data may open many doors. For now, it’s mostly used to market certain products or conduct behavior analytics. But maybe you don’t want part even in that, and since the enforcement of GDPR, that’s your right.

It’s easy to forget that the data being collected belongs  to real people and regulations are needed to keep organizations in check as our use of technology will only increase. It’s important that limits be defined now so our privacy can be protected. According to Edward Snowden, it is everyone’s business: ‘’Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say.’’


Download GDPR wallchart

This article is the third of a series of ten. Click below to discover more facets of IG:

  1. Compliance
  2. Information Security and Protection
  3. Privacy
  4. Audit