In the last few years, data privacy laws and regulations have been big news. Much of the coverage—including one of our recent blog posts—concerned website compliance. Companies scrambled to post notices and forms on their websites to satisfy the requirements of the EU’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). While the details vary somewhat, those notices and forms advised consumers that they had the right to make specific requests about their personal data.
But providing the notices and forms was the easy part. Now, companies have to figure out how to respond to those data requests. It’s probably straightforward enough—if tedious—to find personal data that’s stored in customer databases. The question is, where else is personal data lurking in enterprise communications?
What Data Protection Laws Require
The GDPR and the CCPA provide similar but not identical protections to consumers. Rather than launch into a comparative analysis of the two—or delving into any of the other new or forthcoming data protection laws—we’re talking generally here about how data protection laws define terms and what protections they provide to consumers.
First, it’s worth noting that the scope of what data protection laws include as personal data or personal information exceeds the traditional U.S. standard of personally identifiable information (PII). Under the CCPA, “personal information” includes any “information that identifies, relates to, or could reasonably be linked with” an individual or their household. This includes the obvious PII, such as names, social security numbers, and email addresses. But it also includes categories of information that reach beyond PII, including a user’s internet browsing history, user names, purchase history, and more. It also encompasses any “inferences from other personal information” that, in combination with other data, could be used to create a personal profile about what a user likes or dislikes.
For years, companies have been able to collect this sort of in-depth purchasing data without notice to consumers and then use it to target their marketing, drive sales, or sell information for a profit. And individuals haven’t been able to do much about it. Data protection laws are aimed at changing that dynamic, creating rights for consumers and obligations for companies that collect or use their information.
Both the GDPR and the CCPA give consumers the right to access their personal data. If the company holds any protected information about that individual, they must promptly surface it when requested. Additionally, both laws give consumers the “right to be forgotten,” or to have their data remediated and/or deleted, with some exceptions.
That leads to a problem for companies. Data volumes continue to skyrocket. New communication methods and collaboration platforms emerge all the time, dispersing enterprise data across an ever-wider array of data silos. Yet somehow, in that morass of far-flung data, companies must be able to rapidly identify and take action on specific pieces of personal data.
This challenge calls for a whole new level of data management.
Responding to Data Access Requests: You Can’t Manage Data You Don’t Know About
For companies to be fully ready to respond to data access requests (often called data subject access requests or DSARs) and erasure requests, they need to be prepared to identify personal data that they possess, across every data storage and communication platform they use. This can include the obvious, such as a consumer’s name, address, or phone number, as well as information that may be harder to pinpoint, such as a reference to purchase history or a combination of information that, together, identifies an individual.
This gets tricky when information is referenced on collaboration platforms like Slack. For example, suppose a customer placed an order that included an item that was nearly out of stock, but that could still be found in select stores in a few states. Your employees, trying to fulfill the order, exchanged a few messages on Slack, discussing whether and how they could find the item and ship it to the customer. In the process—and across a span of perhaps 30 messages, both related and unrelated—your employees mentioned the following personal information:
- the customer’s name,
- the order number,
- the customer’s zip code, and
- details about the size and color of the item the customer ordered.
If that customer later requests access to or erasure of their personal data, how will you identify each of those types of information?
You might turn first to Slack’s internal data management tools, which include export tools and a profile deletion tool. Except those tools can’t always provide the pinpoint accuracy that you need to identify each piece of personal data. They also don’t provide the contextual view that you need. Slack conversations, unlike email, tend to unfold across numerous messages. They’re not self-contained bundles of information; they’re puzzle pieces that need to be viewed in context to fully understand. And when you export information using Slack’s tools, what you get isn’t a neat, easy-to-read printout: it’s a JSON file that’s cluttered with metadata and code.
[View source.]