August 29, 2019

Last Updated on January 12, 2024

Let’s take a walk down memory lane… as an adolescent attending Rutgers University (attempting to determine what I wanted to do with the rest of my life) I changed my major to Finance midway through college. I figured Finance is all about money and I certainly wanted some (or a lot) of that… I’m a simple person, clearly.
Moving into a field that was unknown to me provided some significant initial challenges. It was a simple problem; I didn’t fully grasp the new language I was immersed in. Finance has its own vocabulary and you need to know it to understand a lecture, read a book or have a quality conversation on the subject.
From what I’ve seen in client engagements, information security and IT practitioners need to get over a similar speed bump when it comes to data privacy legislation like GDPR or CCPA. You need to wrap your mind around the terminology before you can understand compliance requirements and/or make solid decisions about privacy policies and controls.
Based on what clients are asking about during our meetings, here are definitions and explanations for some key terms I hope will help you “speak privacy” a little better:

Consent

A cornerstone of privacy rights is that people must be able to prevent you from collecting their personal data (unless disclosure is required by law). Consent is the process by which a person gives you permission to use or disclose his or her data. Consent can be “affirmative” (actively communicated) or “implied” (e.g., not opting out).

Cookie policy

Cookies are small text files that websites place on visitors’ hard drives. They’ve been around for a long time, technologically speaking. But lately they are at the center of debate and legislation, because they contain personal information and can track user behavior, both of which make them a privacy risk. Even a unique device ID or customer number held within a cookie is considered personal data under CCPA/GDPR, because it can be traced back to a unique person.
Basically, a cookie policy is just a declaration to visitors to your website about what cookies are active, what user data they track and why they track it, how the data is used and where it is sent. Your cookie policy should also explain how users can opt out or change their settings around “getting cookies.” A cookie policy can be a standalone document, or a section of your privacy policy.

“All PII is PI but not all PI is PII, because the GDPR defines PI to cover a broader spectrum of data; e.g., online identifiers and other data that indirectly identifies individuals when linked to other PI.”

Data mapping

Data mapping is arguably the foundation of GDPR or CCPA compliance. To protect an individual’s personal data, you need to know (and be able to show an auditor) what data you collect, how you use it, where you store it, and how it moves through your organization. Whether you can get by with just a spreadsheet or need sophisticated data mapping software, your data map will probably encompass:

  • What personal data you collect and why you collect it
  • The “legal basis” (a GDPR term) for processing the data you collect
  • Where personal data is stored, and for how long
  • Sources of personal data
  • What “processing activities” act on personal information
  • What external parties have access to the personal information or that you share or sell it to
  • How you use personal information
  • How you protect and control personal data to prevent exfiltration, inappropriate sale or distribution, etc.
  • Where you transfer personal information outside your organization

Personally, Identifiable Information (PII)

To comply with privacy regulations, it’s important to know what data you need to protect. In the US we talk about PII, which is data that directly identifies or can be traced back to an individual. This can include someone’s name, Social Security Number, phone number, physical address, email address and so on.
The EU equivalent term is personal information or PI. And guess what? The two don’t quite match up. All PII is PI but not all PI is PII, because the GDPR defines PI to cover a broader spectrum of data; e.g., online identifiers and other data that indirectly identifies individuals when linked to other PI.
Here’s how the GDPR broadly defines personal data (which is the same thing as PI):
‘Personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.
Similarly, the CCPA defines personal information thusly:
“Personal information” means information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household.
The takeaway here is both laws state that direct and indirect (online) identifiers must both be managed and protected.

Privacy policy

A privacy policy (also sometimes called a data protection policy) is first and foremost an internal document. Its purpose is to govern how your organization handles and makes decisions about personal information. For example, it can instruct employees on how to properly collect, store, use and destroy data. It can also cover the rights of data subjects regarding their data.
Versions of privacy policies that are shared externally with customers, website visitors and other stakeholders via a website to inform site visitors about how the website acquires, stores and uses their personal data.

Pseudonymity or pseudonymous data

Pseudonymity is a cryptographic concept similar to an alias or pseudonym, which concerns the ability to consistently prove or arrive at someone’s identity without revealing his or her actual name. Unlike anonymity, where a person’s identity is unknown, pseudonymity creates a “virtual identity” that can be used consistently, but without knowing or linking to the actual person or other entity.
For example, other users and automated remailers can reply to pseudonymous email senders. Likewise, reputational systems like eBay enable pseudonymous users to acquire reputations.
Most web applications that offer pseudonymity retain personal data about actual users. GDPR therefore classifies pseudonymous data as personal data.
It is certainly becoming more challenging to comply with privacy regulations. Knowing the “Language of Privacy” is a logical precursor to developing a holistic approach to addressing it.
If your business is concerned about compliance with GDPR, CCPA or other emerging privacy regulations that are sure to come, contact Pivot Point Security. We can make achieving compliance simple.