Classification of data for the purpose of compliance with the applicable privacy and data protection laws plays an essential role for the operative control of those elements that are the feeds of the P&DP compliance.
This means that not only the “nature” of the data should be traced with classification but also its relationship with the “P&DP law context,” in which the data itself will be processed.
In fact, the P&DP compliance, and especially the security measures required by these laws, can always be expressed at least in terms of a set of primary entities:
- Scope and purpose of the processing: This generally represents the main footprint that influences the whole set of typical P&DP compliance.
For example, processing for “administrative and accounting purposes” requires less compliance with security measures and fewer obligations toward the data subjects and data protection acts when compared with the processing of telephone traffic/internet data for the purpose of mobile payment services. This is due to the cluster of data processed (personal data of the subscriber, their billing data, the kind of objects purchased) being of more critical value for all the stakeholders involved. P&DP laws consequently require more obligations and a higher level of protection.
- Classification categories of the personal data to be processed: Please note that here the category of the data means the type of data as identified for the purpose of a P&DP law, and usually this is quite different from the “nature” of the data, in other words, its intrinsic and objective value. In this sense, categories of data will be:
- Personal data
- Sensitive data (health, religious beliefs, political beliefs, sexuality, etc.)
- Biometric data
- Telephone/internet data
- Categories of the processing to be performed: From the point of view of the P&DP laws, processing means an operation or a set of combined operations that can be materially applied to data; therefore, in this sense, processing can be one or more of the following operations:
- Collection
- Recording
- Organization
- Selection
- Retrieval
- Comparison
- Communication
- Dissemination
- Erasure
In derivation of the above, a secondary set of entities is relevant for P&DP compliance. Geographic location restrictions on the movement of data may also need to be considered.
Categories of users allowed: Accessibility of data for a specific category of users is another essential feature of the P&DP laws. For example, the role of backup operator should not be able to read any data in the system, even though the operator role will need to be able to interact with all system data to back it up.
Data retention constraints: Most of the categories of data processed for specific scopes and purposes must be retained for a determined period (and then erased or anonymized) according to the applicable P&DP laws.
For example, there are data retention periods to be respected for access logs concerning the accesses made by the role of system administrator, and there are data retention periods to be respected for the details concerning the profiles defined from the “online behavior” of internet users for the purpose of marketing. If legal ground for retention is applicable (also referred to as legal hold), once the retention period has ended, additional processing or handling of the data is lawful.
Security measures to be ensured: The type of security measures can vary widely depending on purpose and the data to be processed. Typically, these are expressed in terms of:
- Basic security measures to ensure a minimum level of security regardless of the type of purpose/data/processing
- Specific measures according to the type of purpose/data/processing
- Measures identified in terms of output from a risk analysis process, to be operated by the controller and/or processor considering the risks of a specific context (technical, operational) that cannot be mitigated with the measures of the previous points
- Proper classification of the data in terms of security measures will provide the basis for any approach of control based on data leakage prevention and on data protection processes
Data breach constraints: Several P&DP laws around the world already provide for specific obligations in terms of data breach. These obligations essentially require:
- Notifying the competent DPA within tighter time limits
- Notifying the data subjects in certain cases as set forth by law
- Following a specific process of incident management, including activation of measures aimed at limiting the damages to the concerned data subjects
- Handling a secure archive concerning the occurred data breach
Therefore, a classification of the data that considers the operational requirements coming from the data breach constraints becomes essential, especially in the cloud services context.
Status: Because of events such as data breaches, data could be left in a specific state that may require several necessary actions or a state where certain actions are prohibited.
The clear identification of this status in terms of data classification could be used to direct and oversee any further processing of the data according to the applicable laws.