Laying down the law on privacy
“When I want my data protected, I use my European passport.” So says Sheila FitzPatrick, the doyenne of data privacy who “lives and breathes in the privacy space.” The chief privacy officer for NetApp has law degrees from University of Santa Clara in California and Trinity College in Dublin and has built privacy programmes for 300 companies around the world. A dual US and Irish citizen, she works closely with the Article 29 Working Party and sits on the advisory board with EU Commissioners.
At the Tealium Digital Velocity conference earlier this week, she explained that privacy is, “the full lifecycle of personal data that you collect, from the time you collect it to the time you destroy it. It is the legal and regulatory requirements that define what you can and cannot do with that data, who can have access to it, how you can process it, where you can process it, where it can be stored and whether or not it can leave the jurisdiction.”
The attorney urged data professionals in the room not to panic about the General Data Protection Regulation (GDPR), but to treat personal data with respect and emphasised this, saying, “data is your greatest asset, but it can also be your greatest detriment if you don’t treat it in accordance with the law.”
FitzPatrick explained that GDPR will force people to be accountable and transparent with what they do with data, and only collect the minimum amount they need to manage the relationship or service they provide. To FitzPatrick, being accountable and transparent means collecting data and using it solely for the purpose that is was being collected for, obtaining explicit, freely-given and affirmative consent, allowing users to opt-out of their data being accessed by third parties or outside of the country of origination, and users having the right to request that their data be deleted once it is no longer needed.
She explained that only collecting the minimum - data minimisation - means when a new technology or service is being built, the creator designs it so as to collect only the data they absolutely need to provide that service, “as opposed to asking for everything just because at some point you might need it.”
Since GDPR was ratified, she has noticed a great many vendors that have suddenly become experts in GDPR. They say, “if you buy our tools and technology, we’ll guarantee you’re GDPR-compliant,” claims about which FitzPatrick is extremely dubious. After asking one or two questions, she would come to realise that those companies were actually being deceptive as they themselves had no privacy policies of their own set up, but just “encrypt the data,” which is a security, rather than a privacy measure.
“If the vendors I’m talking to do not have a privacy programme in place, how in the world are they going to help me become GDPR compliant?” she questioned, showing her frustration with those who conflate data security with data privacy. She hammered home to the audience the fact that GDPR preparation is not solely an IT issue, but rather a legal compliance issue. “The CSO, the CIO and the CTO do hold responsibility for GDPR, but they are key partners in the GDPR journey. Your chief privacy officer owns responsibility for ensuring the company is compliant,” she said.
She advised that organisations lay the groundwork for GDPR by building a compliance metric because the legislation requires a strong data privacy programme and foundation. That foundation is understanding data retention and destruction, how long data can be maintained, why it is being collected, what the data is being collected for, whether or not the individual has given consent to have their data collected, and the transparency of the data processor.
FitzPatrick helped to build the privacy programme at NetApp and said that it addresses data privacy, data sovereignty, cyber-security and legal issues. She also added that NetApp is one of fewer than 100 companies worldwide that has Binding Corporate Rules (BCR) in place. “That is the highest standard you can reach - there is nothing higher than Binding Corporate Rules,” she pointed out.
To illustrate her passion for privacy, she told the attendees about the time she was asked to fill in a Health Insurance Portability and Accountability Act form when she was registering with a new dentist in the US. She deemed it an “illegal form” and, after she refused to complete it and covered it with edits and amendments in red pen, she was taken to the back office and was given permission to rewrite the entire form. She was then given a free appointment for her troubles.