What do companies really do with your data?
So you’ve just clicked ‘accept’ on a website’s cookie consent warning. Great! Now what?
Serious question: Has anyone, ever, consciously decided not to use a website they require (or even just want to use) because they don’t agree with a cookie consent warning?
They’re everywhere now thanks to Europe’s General Data Protection Regulation (GDPR). Although the GDPR is meant to protect Europeans, by now most international websites have implemented cookie consent warnings anyway.
Because they’re also prone to abuse, the EU recently published updated guidelines on cookie consent forms to end bad practices like “cookie walls” (defined as websites blocking users from viewing content until they give consent).
In the vast majority of cases, we all click that button without even thinking – like itching a scratch before consuming the site’s content. But these warnings are important, because any data collected by cookies or other means that can identify a user is considered personally identifiable information (PII).
PII, and its sensitive-data cousins like personal health information (PHI) or payment card information (PCI), must be handled correctly to be compliant with a growing cadre of privacy regulations like Europe’s GDPR or the California Consumer Protection Act (CCPA).
That’s not always ideal, because, unfortunately, some organizations simply lack the tools to be able to handle your data compliantly.
Related Reading: Let’s see some ID: Why data identification is a crucial first step for compliance
What actually happens with your data?
Your data isn’t just collected by organizations through website cookies or EULAs. Every time you register for something, buy something, or offer up your information or preferences in any number of other ways – including on social media and in search engines – data about you and your online habits are being meticulously collected.
But what happens with that data, once collected?
Sometimes it’s used for things like targeted or retargeted advertising. Sometimes it’s sold to other companies via data brokers or other means.
Still, other times it’s used to include (or exclude) you from email marketing campaigns or prioritize certain products that may suit your taste the next time you visit a website. Sometimes, after a while, it may even be deleted or destroyed.
No matter its fate, however, there’s one consistent thing that happens with your data once ingested: It gets stored in a database or data warehouse. It may get transformed and integrated with other data types, and perhaps it’s even brought into a data lake so data scientists can add it to big datasets to build machine learning models or for other purposes.
The problem for many organizations, though, is that along with your data, they’re also ingesting everyone else’s – along with other data types like streaming or IoT data from devices in the field.
That means these organizations are now dealing with velocities and volumes of data simply unheard of even just a few years ago, sometimes with creaky legacy data infrastructure.
All this being said, it’s fair to say that many organizations are struggling to keep up. Which, it turns out, has massive implications for you and your data: After all, along with what’s called the “right to be forgotten” in the EU and Argentina, individuals in countries with strong data privacy regulations also have the right to ask any organization to immediately remove their data from its information systems.
But for organizations to have a reasonable chance of accommodating a request like this, they must be able to locate an individual’s data and dispose of it quickly.
Unfortunately, for many organizations who haven’t made the right investments in data classification, this is often impossible.
Related Reading: Are enterprises becoming more complacent about data breaches?
Respect the right to be forgotten…or else
The right to be forgotten under GDPR, also known as the “right to erasure”, can involve both personal data kept in an organization’s information systems or public data (including photos, videos, or other information) deemed not in the public interest but obtainable by anyone through search engines.
Article 17 of GDPR states: “The data subject shall have the right to obtain from the controller the erasure of personal data concerning him or her without undue delay and the controller shall have the obligation to erase personal data without undue delay” under certain circumstances.
Those circumstances include when the data is no longer necessary for the original purpose in which it was collected, or if the data subject withdraws consent (which was given way back at the beginning of this story, when we clicked that “accept” button on the cookie consent warning).
EU consumers have even successfully sued companies like Google under the right to be forgotten.
It’s worth noting, however, that it was dealt a blow in the latter half of 2019 with an EU court ruling that search engines aren’t required to comply outside of Europe.
Countries like the U.S. and Canada technically don’t have a right to be forgotten laws, and whether they seem to be inching closer to adopting such a law depends on where you look. The Office of the Privacy Commissioner of Canada recently released a draft policy for discussion on online reputation, something that is seen by some as a first step. In the U.S., though, any discussion around a similar right typically runs squarely into First Amendment issues.
Either way, organizations in most countries usually must deal with both domestic data privacy regulations along with more far-reaching ones like GDPR (if they have European customers or users, for example).
Indeed, along with Article 17 of GDPR, organizations also have to contend with other rules such as Article 15, which gives consumers the right to access their personal data at any time.
That means these organizations must know what data they have, where it’s stored, and who has access to it – all while continually creating, ingesting and navigating more data, at faster speeds, than ever before.
This means that in many cases, it’s physically impossible to manually identify and classify that data (accompanied by the twin risks of employees either not knowing how to classify data, or using workarounds to avoid stringent processes).
Which, in turn, runs the risk of costly non-compliance fines or even more costly data breaches for organizations who don’t take the right precautions.
How data identification and protection software helps keep organizations compliant
By now, we’ve established some of what happens to PII in the days and weeks after a consumer browses a favorite website, buys items online, or has their data collected and ingested via any number of other ways.
We’ve also established the difficulty organizations face keeping tabs on all this data given its growing velocity and volume.
So, what’s the solution for organizations who want to be data driven, but also want to stay on the right side of regulations (and public opinion)?
Software for data discovery and classification for sensitive data could be the key.
This software helps organizations automatically identify the location of all its sensitive data – both in flight and at rest – and classify it based on flexible categories determined by the organization down to a granular level.
This software can then apply rich metadata to emails, G Suite documents, Microsoft Office files and other documents, working in harmony with data loss prevention (DLP) software, cloud access security broker (CASB) software, and the rest of your security ecosystem.
Data classification software also helps keep employees compliant through automated workflows that prompt workers to classify data correctly as they go about their regular business.
And it’s all governed by a configurable and flexible policy management platform, so organizations can set classification rules according to their requirements.
Data identification and data classification lets organizations know exactly where all their ingested PII and other sensitive data lives, allowing them to stay GDPR compliant and keep customers happy by responding quickly to erasure or other PII requests from the public.
Indeed, in a world where a growing number of consumers don’t trust many companies’ ability to keep their data safe, strong data identification and classification is a business differentiator.
That means customers and users of these organizations can go ahead and click “accept” on those cookie warnings all they like, with the peace of mind of knowing their data is identified, classified, and kept safely.