In our first article, you were able to read what the AVG says about customer privacy. In this article, we zoom in on the potentially traceable data your organization has and how to identify it.
Inventory the types of data you maintain
There are several types of personal data available within your company:
- Regular personal data, such as name, address, place of residence, zip code, date of birth, gender, customer number and the like.
- Special personal data, such as health data, etc.
- Sensitive personal data, such as bank account numbers, etc.
To minimize risks, we distinguish between personal data that enable identification of a person and personal data that can be analyzed independently of a person (e.g., as a process):
In addition to the examples in the table above, organizations may have personal data because customers use so-called open text fields. For example, people often leave their contact information in a comment box because they can’t find the contact form. The type of information that can occur in an open field determines the approach needed to ensure privacy. In doing so, the information value of an open field for analysis or reporting is not necessarily lost. So it is important for organizations to be extremely careful with this information.
A distinction is also made between directly and indirectly identifying data. This distinction is not explicitly described in the AVG, but it is made with the approval of the CBP in the “Code of Conduct on the Use of Personal Data in Scientific Research. Directly identifying data include BSNs that uniquely identify a person. Indirectly identifying data are zip codes or dates of birth.
Note: When you combine data, it’s almost always obvious who it is. Research indicates that a combination of three or four indirectly identifying data stored in aggregate form (such as zip code, age, gender, etc.) can lead to an identification of a (natural) person.
Discover privacy-sensitive data? For example, work with regular expressions
Regular expressions (RegEx) are available within most programming languages and help identify sensitive data. These might include e-mail addresses, dates, BSNs or credit card information. If your organization does not have sufficient tools and/or expertise in data management (such as data dictionaries), regular expressions can assist in defining personal data.
In our latest article, we’ll take a closer look at some of the functional possibilities for which you can use regular expressions.
Stay tuned!
Want to be notified of our next articles on this topic? Follow us on LinkedIn.
Stay tuned >
Contact
Want to know more about this topic? If so, please contact Michaela Legerstee or Jeroen Groothedde using the contact information below.
Michaela Legerstee, Senior Consultant
+31 6 31 00 52 81
m.legerstee@cmotions.nl
Jeroen Groothedde, Senior Consultant
+31 6 22 88 89 98
j.groothedde@cmotions.nl
Michaela Legerstee
