The way companies use personal data is somewhat reminiscent of how people approach their wardrobes.
You start buying clothes of a particular style or brand, but over time, your sense of fashion changes, and you buy based on new needs and desires. The use of personal data works in the same way, as companies collect data for one purpose and then use it differently as new needs arise. In both instances, the sudden change in direction merits some type of justification, and that’s especially the case with personal data.
U.S. Federal Communications Commission Senior Agency Official for Privacy John Williams, CIPP/G, CIPP/US, said while a company’s revolutionary new product concept might bring endless possibilities, privacy professionals within the organization are left managing what those changes mean for data, and, specifically, the safekeeping of it. An important data management consideration discussed by Williams and his co-panelists at the IAPP’s Privacy. Security. Risk. conference last week in Las Vegas was compatibility requirements set out by the EU General Data Protection Regulation and those within the California Consumer Privacy Act.
Compatibility begins and ends with how an organization decides to repurpose previously collected data. Williams said when an organization chooses to repurpose data, it must do so in a way that is compatible with the reason it was collected in the first place. He added that an organization is responsible for updating those definitions and obtaining data subjects’ consent when the data is repurposed and not compatible. Those updates only apply under the longstanding purpose limitation principle, which Williams said organizations have mostly respected.
“The good news with the implementation is that there’s some space within the [limitation principle],” Williams said. “Given the realities of how organizations collect and manage their data, there needed to be some flexibility.”
That flexibility proved to be a compatible-use clause, which aimed to help organizations by allowing themÂ to use repurposed data without consent when the new purpose remained somewhat in line with the original purpose. The panel went through enforcement actions by the U.S. Federal Trade Commission, GDPR guidance and court cases to explain instances of success and failure in organizations’ compatibility efforts.
Google Senior Privacy Counsel Troy Sauro acknowledged that transparency is one of the most obvious keys to maintaining compatibility.
“It resonates with people when you’re trying to explain to them why it’s important to cabin the collection and use of data to something that is reasonably tethered to the service you’re providing,” said Sauro, who spelled out the disconnect using the example of a hypothetical flashlight app collecting geolocation when a user turns the light on, which is neither a transparent nor necessary collection.
Sauro went into detail about how privacy professionals can help their organizations stay on top of compatibility. Getting involved in product development, proper documentation and effective monitoring of data use can all work to an organization’s advantage, he said. Being part of the development phase allows a privacy professional to better communicate on the ground level, and it allows for future-proofing privacy programs and policies.Â
But documentation is a greater tool for long-term compatibility alignment.
“Documentation isn’t as much of an eye-opener to people with all the pressure GDPR put on to folks to get documentation in place under accountability frameworks and DPIAs in place,” Sauro said. “But having a place to go back to and say, ‘This is what we said the data is used for, but now we’re proposing to use it this way,’ allows you to run the traps on things.”
Documentation also requires cross-team monitoring, which Sauro said allows for organizations to call back to what has been said previously.
Monitoring is the toughest of the three pillars, in Sauro’s opinion, given that it can be different for every company. He suggested regular check-ins or meetings with the people who own the purpose representations.Â Tools and engineered solutions that can send out alerts can also be useful, he said.
Brett Cohen, a partner in Hogan Lovells’ privacy and cybersecurity group, took Sauro’s principlesÂ on changing privacy policies and notices in the event of data repurposing a step further. Cohen said he would try to take the wordÂ “ensure” out of as many documents as possible. Retroactive or prospective material changes to a policy or notice both have pitfalls.
“Looking at material changes with data uses, you’re going to have to actively communicate the change,” Cohen said. “You have someone thinking you were going to use their information for X purposes, and now there’s a change. Even if it’s going forward, you have to let users or consumers know, and give them the opportunity to opt out or cancel their service. Those are tough discussions, but you want to avoid having to get consent and FTC issues down the road with such a significant change.”Â