The Future of Privacy Compliance - Part 1 of 3
Updated: Nov 21, 2019
Throughout the world’s regulatory data protection regulations (EU GDPR, Brazil LGPD, CA CCPA, Australia CDR, India PDP, Japan APPI, Israel PPL and virtually all others) one concept is used repeatedly to unify these law’s operational components: “purpose” and “purpose limitation”.
For example, GDPR Article 5(b), establishes the centrality of purpose, stating that personal data shall be “collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes.”
Purpose Definition – the most important privacy compliance step you never heard of...
Most of the operational articles and recitals in the GDPR are tied together by the concept of “purpose”.
Until recently, when reviewing privacy compliance solutions, one mostly hears about “data discovery” and “data mapping”, with messages such as “if you can’t find your data, you can’t comply” or “you can’t protect what you don’t know exists.”
However, the laws are clear: without establishing purpose, a data controller has no legal justification for holding any personal data that might be discovered and mapped. A Data Controller that fulfils a DSAR with discovered, but non-purposeful data is potentially turning over evidence of non-compliance to adversaries in a Data Protection Authority complaint or civil lawsuit.
The lack of a contextually specific, lawful purpose for processing data is one of the worst types of GDPR infringements; and most of the GDPR fines issued to date can be traced to “lack of appropriate technical and organisational measures which are designed to implement data-protection principles” – including inadequate or missing lawful purpose definition.
Consider this as an updated GDPR solution message:
“Even if you can find all your data, you still aren’t GDPR compliant – without purpose definition.”
Please look for the 2nd post in our series of 3 on “Operationalizing Privacy Compliance”.