Privacy compliance for big data initiatives

January 2015 | SPOTLIGHT | DATA PRIVACY

Financier Worldwide Magazine

While big data presents tremendous opportunities for businesses, it also raises numerous legal compliance issues arising out of the collection, use, storage and sharing of personal information. There are two fundamental characteristics of big data which make it different: (i) the analysis of big data is often for a purpose different from the original purpose for which the data was gathered; and (ii) the volume of data used for big data purposes can be vastly greater than that found in traditional structured databases.

The following best practices can be utilised for implementing a privacy compliance program for big data initiatives.

Develop a data inventory

The first step is to develop an inventory of personal information that will be collected from individuals or from third parties about the individuals: a data inventory.

The data inventory should identify the personal information to be used in the initiative, such as name, address, telephone number, age, gender, etc. The inventory should specifically identify the use of sensitive personal information, such as Social Security number, driver’s licence number, financial information (e.g., credit card and bank account information), health information, and information about sexual behaviour or orientation.

It should also identify how the personal information is collected. For example, is the information collected by individuals mainly from the consumer or through automated means such as over the internet, mobile app or other online mechanisms? The method of collecting the information can impact the applicable laws and legal issues to be considered.

The data inventory should record where the data is stored – both systems and geographically. For example, will the data be stored on the company’s servers or with a third party hosting service provider? Additionally, will the information be stored in the United States or a foreign jurisdiction. Generally speaking, the European Union has more comprehensive and restrictive data privacy laws than the US.

In addition, it should identify the purpose and intended use of the personal information. For example, using personal information for marketing purposes implicates many more legal compliance issues than merely using the personal information to deliver a product or service to the consumer.

Finally, the data inventory should note the individuals inside and outside the organisation who will need access to the personal information. Controlling access to personal information to those employees, contractors and service providers who have a legitimate need to know the information is an important aspect of privacy and security compliance.

Identify applicable sources of legal requirements

With the information collected through the data inventory, the organisation should be able to identify privacy laws, regulations and self-regulatory standards applicable to the collection and use of the personal information.

There are a number of potential sources of applicable legal requirements. Among them are the Fair Credit Reporting Act and the Fair and Accurate Credit Transactions Act (applicable to consumer reporting agencies and users of consumer report information). Companies should keep in mind that they may be considered to be a consumer reporting agency if they compile and sell information used by third parties for credit or insurance underwriting, or for employment hiring and screening purposes.

In addition, the Gramm-Leach-Bliley Act is applicable to financial institutions. The Health Insurance Portability and Accountability Act is applicable to healthcare providers, health plans and healthcare clearing houses. The Children’s Online Privacy Protection Act is applicable to the collection of personal information from children under the age of 13. The Family Educational Rights and Privacy Act is applicable to student records and personal information.

Consumer marketing laws need to be considered. For example, the Telephone Consumer Protection Act applies to telephone marketing and text messages, and for the past several years has been a ‘hot bed’ of plaintiff class-action claims. Prior express written opt-in consent is required under the TCPA. The CAN-SPAM Act applies to emails and utilises an opt-out framework.

FTC written reports, guidance and enforcement orders and settlements may be applicable. The FTC periodically issues written reports and guidelines which are very useful for modelling privacy and security compliance programs. Additionally, FTC consent decrees and orders should be consulted for further insight into the FTC’s expectations.

The company’s existing privacy policies may come into play. Failure to comply with existing privacy policies can result in enforcement action by the FTC and state attorneys general for unfair or deceptive acts or practices.

Companies need to consider state privacy and security laws. For example, many states have laws that are broader and more restrictive than HIPAA dealing with the privacy of health information. California law contains requirements applicable to online privacy policies, including disclosure of tracking for online behavioural advertising, and the sharing of personal information with third parties for direct marketing purposes. States such as Massachusetts and Nevada have laws with specific data security requirements. Finally, many states such as Florida have recently revamped their security breach notification laws to require companies to provide applicable privacy and security policies to governmental authorities in the event of a breach.

Payment Card Industry Data Security Standards (PCI DSS) may apply. These industry developed security standards apply to companies that collect, store or process credit card information.

The Digital Advertising Alliance’s Program for Online Behavioural Advertising may be relevant. These self-regulatory standards apply to companies that use advertising networks to track and deliver targeted or online behavioural advertising to consumers.

Finally, the Mobile Marketing Association’s Consumer Best Practices for Messaging are self-regulatory standards applied to the use of text messaging for marketing purposes.

Determine methods for complying with applicable legal requirements

Once the legal requirements have been identified, the organisation can map out its strategies and methods for compliance. This effort may involve answering a number of questions, as outlined below.

Notice. How will the company notify individuals of its personal information collection, use and sharing practices? If the company receives personal information originally collected by a third party, how will the company confirm that the third party has the legal right to disclose the personal information to the company for the intended uses by the company?

Choice. What choices must the company provide under applicable legal requirements, and what choices will the company voluntarily provide although not legally required? If applicable legal requirements mandate express or opt-in consent, how will the organisation obtain that consent? If not legally required, will the organisation obtain express consent to further mitigate its compliance risks? How will individuals exercise their choices?

Access. How will the organisation provide individuals with access to the personal information collected about them?

Accuracy. How will the company verify and maintain the accuracy and completeness of the personal information?

Transfers to third parties. Will the organisation transfer any of the personal information to any third parties? If so, how will the organisation achieve compliance with applicable legal requirements that may restrict the sharing of personal information?

Limiting collection and storage. How will the company limit the amount of personal information collected to only that needed for the identified purposes? What practices and procedures will the company have in place to destroy the personal information when it is no longer needed for the identified purposes, or as otherwise required by applicable legal requirements?

Security. How will the organisation comply with applicable legal requirements and industry standards with respect to security of the personal information? What practices and procedures will the organisation have in place to respond to breaches of privacy or security?

Implement compliance program

Once the company has mapped out the steps to be taken to achieve compliance, it can implement the program.

Gap identification. The company should first identify gaps between its current practices and procedures as compared to the practices and procedures identified during the process described above.

Gap remediation. The organisation should then remediate those gaps by determining how it will modify its business processes to align with the desired compliance requirements.

Documentation. The company should develop applicable policies, notices and operating procedure documents based on the identified compliance requirements and gap remediation activities.

Education and training. The organisation should then educate and train all applicable employee and contractor personnel with respect to the identified steps to achieve compliance.

Periodic assessments and adjustments. Because privacy and security practices change over time, as do the applicable legal requirements and principles, companies should periodically reassess their privacy compliance programs and make adjustments where necessary or desirable.

Chanley T. Howell is a partner at Foley & Lardner LLP. He can be contacted on +1 (904) 359 8745 or by email: chowell@foley.com.

Chanley T. Howell

Foley & Lardner LLP