Personal data – and how it is collected and managed – is an increasingly important area for businesses today. The ever-increasing volume of personal data collected by companies has come under increased scrutiny with 71% of consumers worried about the way companies handle their personal data. This apprehension combined with an evolving regulatory landscape and ever-increasing security risks means companies need to be more careful than ever before in the way they collect and manage personal data.
To help you ensure that you and your company are collecting personal data in a compliant, secure, and efficient way – we have put together The Definitive Guide to Personal Data Collection.
From our years of experience in the personal data collection space, we have been able to identify a set of best practices, tips, tools, common mistakes and more. This guide will also help you build your knowledge on personal data and how it applies to your company. The following sections are included:
- Personal data definition.
- Personal data in business today.
- What personal data regulations are businesses subject to?
- Common personal data collection mistakes.
- Personal data statistics.
- Personal data collection best practices.
- Personal data collection tools.
- The future of personal data collection.
Personal data definition.
Before developing and refining your personal data collection processes, it is worth taking the time to understand what exactly is considered personal data. There are a number of personal data definitions floating around. Below are some of the most important definitions which you should familiarize yourself with.
GDPR: According to GDPR (General Data Protection Regulation), personal data is any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. For more information on the GDPR definition of personal data, check out this page.
VCDPA: The VCDPA (Virginia Consumer Data Protection Act) and the CPA (Colorado Privacy Act) define personal data as information that is linked or reasonably linkable to an identified or identifiable individual. De-identified and publicly available data are expressly not personal data. Further info available here.CCPA: According to CCPA (California Consumer Privacy Act), personal data is information that identifies, relates to, describes, is reasonably capable of being associated with, and could reasonably be linked, directly or indirectly, with a particular consumer or household. Further information on the CCPA available here.
A good rule of thumb is that the more information about someone a business has, the more the data is referred to as ‘personal’. For instance, if a business contains only the name of a client, it is not necessarily considered personal data because there might be any number of people with the same name. However, if there is a phone number, address, email, and so on alongside the name, then that is considered ‘personal’ data, because this information helps differentiate and identify a particular person.
Personal Data in Business Today
Personal data is collected by most if not all businesses today. There are many ways in which personal data is used and some classic high level examples include:
- Employee Onboarding: Companies and HR departments collect new employee personal data during the onboarding process.
- Tenant onboarding: Property and real estate companies will collect personal data and documents from tenants in the rental market.
- AML (Anti Money Laundering): Companies who collect AML documents and data use personal data to confirm identities.
- Customer Databases: Companies collect and store the personal data of their target customers.
- Utility Companies: Utility companies collect and store personal data on their customers. This personal data is usually collected during the initial customer setup or onboarding phase.
These examples are just the tip of the ice-berg. Companies all over the world collect personal data for a variety of reasons. The key takeaway here is to understand that your company most likely collects personal data, and it is important that this personal data is collected and managed in a compliant, secure, and efficient manner.
What personal data regulations are businesses subject to?
The area of personal data protection laws and regulations is rapidly evolving. Today’s highly connected, always online world did not exist in the 1990s and, as a result, policymakers have been playing catchup to meet growing public concerns about the way personal data is collected and managed by companies.
We have already touched on some of the key regulations in this area including GDPR and CCPA but there are some other regulations coming into effect in different regions that you should familiarize yourself with if your company does business there. Below we will outline the key personal data privacy regulations you should be aware of.
Enforcement of the General Data Protection Regulation (GDPR) began in May 2018 and represents one of the most significant moments in the history of data protection. This wide-ranging law contains an expansive definition of ‘personal data’ and a broad territorial scope – expanded to include companies outside the EU who offer goods and services in the EU, monitor individuals based in the EU, or have established a place in the EU.
At the core of GDPR is an emphasis on purpose limitation, lawfulness, transparency, integrity, and confidentiality. It also formalizes privacy principles such as data minimization and accountability, included in:
- Security Audits: Companies are expected to document and maintain records of their personal data security practices to inspect the effectiveness of the security program and take appropriate corrective measures in case of a breach.
- Extended individual rights: Individuals have greater control and ownership of their personal data. They also have an extended set of data protection rights; portability and the right to be forgotten.
- Data breach notification: Regulators and/or impacted individuals have to be informed about personal data breaches without undue delay.
- Data security: Technical and organizational security controls must be put in place to prevent personal data loss, information leaks, or unauthorized data processing operations. This can be effectively done by encrypting personal data, network and system integrity, incident management, availability, and resilience in the security program.
The types of data which come under the scope of GDPR include:
- Identity information such as name, address, and ID numbers
- Web data such as location, IP address, cookie data, and RFID (Radio Frequency Identification) tags
- Health and genetic data
- Biometric data
- Racial or ethnic data
- Political opinions
- Sexual orientation
The six main legal bases for personal data collection in light of the GDPR are:
- Contractual fulfilment: If you come into an agreement with someone in exchange for value for some time, to fulfil the contract, processing personal data is necessary and legal.
- Compliance with the law: Certain situations like a law-enforcement request will require you to process personal data, failure to which the law is broken and legal action is called for.
- Publicly available data: In some jurisdictions, personal data that is public means it is not personal information. This data can be processed. In areas where this kind of data is still personal, the processing is allowed as well.
- Vital interests: For instance, hospitals are allowed to process personal data as they attend to someone suffering from a serious injury or an illness. In the case of epidemics, disasters, and many others, personal data processing does not only serve the vital interests of an individual but also extends to the public interest.
- Consent: If someone, as long as they are an adult, above 16 years, says ‘yes’, to your request to process personal data, you are legally allowed to, unless there is a form of power imbalance that requires another legal authority. For instance, an employee cannot ask an employer for consent. On the other hand, the data subject has a choice in relation to one or more specific purposes that their personal data will be put to use.
- Legitimate interest: If it makes sense for you to collect personal data, as a result of what you do, then it is legal to. For instance, if a client buys a service from your organization, you can send an email offering a discount or bonus. Another example is a banking institution that processes personal data to prevent fraudulent dealings.
- Public interest: Among others, public tasks like VAT and taxes, scientific research, and many others. This also applies to a public authority that has to conduct public tasks that require personal data processing.
Other Data Protection Laws:
Data protection regulations vary from one region to the next. Broadly speaking, however, other territories are bringing in data protection laws that are similar in scope to GDPR.
- The UK introduced the “UK GDPR”, a law which mirrors the GDPR after the UK left the EU.
- New Zealand and Switzerland have updated their data protection regulations to match the standards set by GDPR.
- A new federal privacy law was introduced in Brazil in September 2020. Read more about the LGPD here.
- New data protection legislation in South Africa came into force in July 2020. Read more about the POPIA here.
- Dubai also introduced a new data protection law in July 2020. Read more about the DIFC here.
- In the United States, the introduction of the California Consumer Privacy Act and the Virginia Consumer Data Protection Act have seen standards move closer to those set by GDPR in Europe.
Common Personal Data Collection Mistakes
There are a number of all too common mistakes companies make when it comes to the collection and management of personal data.
1 – Using email for collecting personal data and documents
Many companies today are leaving themselves wide open to security and compliance issues by using email and other legacy tools to collect personal data and documents. Email, for example, is a 50 year old communication tool that was never designed to collect personal data. Issues around compliance emerge as personal data and documents travel through various inboxes around a company, and this personal data may end up being stored in an inbox indefinitely – which is far from ideal. There are also issues around security, with 90% of malware attacks occurring via email. Last, but not least, using email to collect personal data is an extremely inefficient use of employee time and will cost your company hours of valuable time each week and distract from core business activities.
2 – No data purging process in place
Data purging is the permanent and irreversible removal of data and is an important part of any compliance initiative. It can help companies to meet GDPR compliance guidelines around the following areas.
- Right to erasure or sometimes referred to as ‘the right to be forgotten’ – Under GDPR, individuals can now request that their personal data be deleted from company systems.
- Lawful basis for processing – Companies should only process data that is necessary for a specific purpose.
- Data minimization – Companies should ensure that the personal data they process is relevant and limited to what is necessary.
- Storage limitation – There should be a company policy that includes the organization’s standard data retention periods, after which data should be purged.
- Purpose limitation – Companies should have a clear reason for any personal data that is processed.
3 – Company does not offer terms and conditions before collecting personal data
While GDPR does not make any mention of Terms and Conditions, it is still best practice for a company to make users or applicants agree to Terms and Conditions before collecting any personal data. Terms and Conditions agreements act as a legally binding contract between a company and a person and can offer companies an extra layer of protection.
4 – Employees storing personal data on their personal devices
As the number of companies offering flexible and remote working opportunities increases, so too does the risk of personal data management errors. Personal data – such as that gathered from a new employee for instance – should not be stored on employee personal devices. Employees who work from home or are part of a bring your own device (BYOD) initiative should all have their machines equipped with the necessary security systems and any personal data collection adheres to a compliant company-wide process.
5 – No GDPR or data compliance training
One surefire way companies can get themselves into trouble is by not training their employees adequately on how to collect and manage personal data. Employees need to be acutely aware of their companies policies and procedures on personal data collection and processing. GDPR non-compliance fines are increasing and companies who fail to train their employees on data compliance are leaving themselves in a vulnerable position.
Personal Data Statistics
As you develop your understanding of the post-GDPR personal data protection environment, there are a number of statistics worth bearing in mind. What we are seeing now are heightened consumer expectations around the way companies manage their personal data.
- A report by RSA found that 64% of consumers blame the company and not the hacker in the event of a data breach.
- The Ponemon Institute found that 74% of internet users feel they have no control of their own personal data.
- Worldwide, 67% of internet users are more concerned about their online privacy than they have ever been.
- Statista found that 21% of email and social media users have been cyberattacked at least once, with 6% having suffered reputation damage and 12% having been harassed online.
- A study carried out in 2019 by Javelin reveals that 14.4 million people were victims of identity fraud in 2018, causing them to spend an average of $1000 and 330 hours trying to recover their identity.
- A study conducted by Pew Research Center revealed that 81% of Americans are concerned about companies collecting private data.
- Pew Research Center also found that 86% of Americans have taken steps to reduce theri online footprint.
- 45% of internet users do not open emails from strange addresses.
- A study by Pew Research Center found that 93% of Americans considered it of importance that they could control who could access their personal data.
- Email accounts for 92% of malware infections according to articles by Verizon.
- Research from the Pew Research Center shows that 75% of Americans want increased regulations around the way businesses manage their personal data.
Personal Data Collection Best Practices
To help keep your company on the right side of the compliance regulations there are a number of personal data collection best practices you should adhere to.
1 – Audit current systems and personal data collection processes
A good first step is to do some analysis on the state of your company’s current personal data collection processes. Three key points to bear in mind during this analysis are security, compliance, and efficiency. If your current process falls down in any of these areas, you should start developing a plan to update your processes and systems.
A classic example we still see is companies using tools like email, Whatsapp, and SMS to collect personal data and documents from clients. The key takeaway here is that these tools were never designed for this purpose, and companies are leaving themselves wide open to security and non-compliance risks. As we have already covered, research from Verizon has shown that 92% of malware infections emanate from email.
2 – Build the business case for better personal data management internally
If your company’s current personal data collection process is not up to scratch, you will most likely need to invest in the correct systems and training to eliminate any potential risks. These types of costs are not always the easiest to find a budget for internally. Revenue, and ultimately, the bottom line is generally the main priority for companies – whereas compliance tools and initiatives might previously have been seen as a necessary evil which companies had to cover the cost of.
If you are the person tasked with personal data compliance and security, then it is up to you to build the business case internally to get the budget you need to update outdated and insecure processes. One place to start here is by reframing the conversation around compliance in your organization. Tiffany Archer, Global Head of Compliance at Pall Corporation articulated this expertly when she said:
“Traditionally compliance is viewed as a cost center, but in reality, it’s a ‘Revenue Protection Center.”
Some other best practices for building the internal business case for compliance investment include:
- Focus on key data points: Do not get lost in the data as you try to build support for your compliance initiatives. The executive summary is so-called for a reason. Provide the key stakeholders with key data points around cost, time-to-value, risks, and, most importantly, the cost of doing nothing.
- Future proofing: Demonstrate how your initiative can help the company remain compliant into the future in an evolving regulatory environment. You can also pinpoint cost savings your team has already made as well as future costs you can help your company avoid.
- Build cross-functional support: The best compliance initiatives are those that are embedded into strategic initiatives – providing risk guidance during the planning stage.
3 – Perform a Relationship Health Check
In addition to analyzing your current systems and processes, you should also perform a relationship health check to see how any vendors or consultants your company works with are managing personal data. For instance, if your HR team is working with an outsourced recruiting agency to find new candidates, you will need to be clear on the way personal data flows between the two organization and how it meets compliance requirements. HR systems, CRMs, and marketing automation tools may all hold personal data and should be analyzed as part of your relationship health check.
4 – Ongoing Training
Employees should be trained how to manage and process personal data in a compliant manner. It is best practice to tailor training to each role and how the employee interacts with personal data. It is the norm at many companies now for employees to refresh their training on a regular basis throughout the year.
5 – Create a Data Log
Data logs are an important step towards full compliance and can help your company show GDPR/CCPA compliance in the case of an audit. It is vital to be able to show the flow of personal data and identify all data sources. A data log can also help the recovery process if there is ever a breach at your company.
10 Great Personal Data Collection and Compliance Tools
One way companies can move towards full data compliance is by leveraging tools which were built specifically for the collection of personal information and documents. Compliance covers a wide spectrum and other tools in this space help companies to manage risk, ethics, legal compliance and audits. As you consider which software to implement in your organization, we have put together a list of 10 great tools that can help your company achieve full data compliance. Note, the list below is in no particular order.
PlanetVerify helps streamline personal data collection in an efficient and secure way while satisfying key compliance standards, for multiple industries and applications.
- Powerful data management: Legally compliant data collection that is automated and runs through a versatile dashboard that runs all the tasks you need.
- Brings your data under your control: PlanetVerify provides a secure and compliant platform that streamlines how your business works by allowing you to handle data from a single secure system, and this translates to saving time and money as well. This platform also enables you to customize a range of forms and processes to your liking.
- One platform, many applications: Cuts across the fields of human resources, rent, and property, and accounts and finance.
One Trust connects Privacy, Governance, Risk, and Compliance (GRC), ethics and Environmental, Social and Governance (ESG) teams, data, and processes, to enhance seamless collaboration built upon trust.
- Compliance maturity test: measures your compliance capabilities with those of other companies in your industry, to spot loopholes you might have or which areas you are doing okay.
- Regulatory intelligence: Driven by the world’s largest privacy research, OneTrust incorporates intelligent configurations, templates, workflows, and suggestions.
- Compliance maturity test:
measures your compliance capabilities with those of other companies in your industry, to spot loopholes you might have or which areas you are doing okay.
A cloud-based platform that provides intelligent privacy law compliance, by enabling collaboration and teamwork that catalyzes risk management, documentation, oversight, and audit.
- Governance documentation:
Provides policy and notice templates to help store them centrally.
- Data breaches: Record and assess the extent of a data breach and follow actions to curb a breach incident in the near future.
- Data Mapping: Helps you to record the types of data you collect and where the processing happens. Visualization tools help facilitate understanding in the data mapping process.
A cloud-based platform designed to seamlessly connect and monitor critical aspects of a business process.
- Process automation: with an ability to capture financial, operational, reputational, and third-party risks as they surface. It also has ready-to-flow templates that facilitate ease of workflow across teams.
- Analytics: Has a unique capability to customize dashboards by the user, group, and role.
- Business formulas: Helps calculate values and scenarios automatically, project financial gain or loss, and help other teams measure impact. One interesting point to note about this feature is that you can create your own formulas, meaning there is no need to write a Python code or hire a data scientist.
Securiti enables organizations to discover sensitive data across multi-cloud, SaaS and on-premise environments, protect it and automate all privacy functions.
- Sensitive data intelligence
- Data mapping automation
- Vendor risk management
- Assessment automation
- Expert bot assistance
It is a cloud-based workflow management tool that focuses on critical risk, compliance, and audit.
- Assessment Management: With this, you are able to collaborate with stakeholders seamlessly, leverage one piece of evidence and use it for multiple audits and assessments, manage compliance issues and see what controls apply to a framework.
- Audits: Operational, compliance and IT audits.
- Risk-management: Both operational and third-party
Wired Relations is a privacy tool for GDPR and Information Security Management, which helps to automate and collaborate on your privacy workflow.
- Automated: Reports are auto-generated, when tasks, controls, and audits are due, you receive a notification and the process is flawless saving you time and manual effort.
- Collaborative: Inside the privacy workflows, the main stakeholders like IT, system owners, and even users can work together smoothly.
- Intelligent systems: It has built-in tools that sharpen accuracy, ensure consistency and connect your work.
LogicGate Risk Cloud offers extensive risk management capabilities and works as a central location for your GDPR compliance data controls.
- Regulatory Compliance: It has a suite of pre-built applications that transform how you manage GRC processes by combining expert-level content and service with easy, no-code technology. You also stay updated with the latest in laws and policies.
- Internal audits: With precision and speed, you are able to perform due diligence, so that whoever is in charge of your internal audit has all they need to spot the loopholes and correct them efficiently.
- Data privacy: Risk Cloud helps you to stay on top of the changing regulations that apply to your business, thereby safeguarding personal data.
Netwrix auditor was built to focus on vulnerabilities and potential risks.
- Compliance: challenges brought about by the complex process of compliance are solved by ensuring efficient security investigations, saving audit time by up to 85%, and passing audits in the first attempt.
- More data control: With the Netwrix information governance solution, you can reclaim control over your data and make your information governance policies work.
- Ransomware protection: dramatically reduce your risk of a ransomware infection, and stop an attack that gets through before it kidnaps your data and destroys your business.
A single solution for cyber security and data privacy.
- Identify GDPR compliance gaps and prioritize resources with GDPR Manager.
- Manage your compliance activities in one central place to improve control and compliance.
- Keep track of data security compliance requirements of critical UK laws and information security frameworks.
The Future of Personal Data Collection
In just a few years, GDPR was able to bring a revolution to the entire world that resulted in transparency and fairness, better customer protection, and stronger control over how companies manage personal data. We anticipate that the regulatory pressure companies face will continue to increase. We now know that over three quarters of the world’s countries have either drafted or introduced regulations around data privacy.
Personal data collection is – and will remain – one of the core pillars of data privacy. Awareness of personal data regulations will continue to grow among consumers and companies will face increased scrutiny about the manner in which personal data is collected and processed.
We are entering into a period in time where non-compliance risk is at its greatest. Total annual GDPR fines are entering into the billions and companies who are still reliant on legacy tools and processes to collect personal data are leaving themselves extremely vulnerable to security and non-compliance risks. For these companies, the time to act is now.