Thus, it is possible to adapt to the new law, especially for companies with a lot of activity in Digital Marketing.
With digital transformation, the importance of data has become even more relevant, with inevitable dialogues on the topic. Some of these assets are generated from the use of computer systems, by people. However, there is also data regarding the personal life of users, which is used in the applications for certain purposes. We call this personal data.
In recent years, the debate on technological evolution and the processing of personal data has advanced a lot. We have more prepared people in companies and in the Marketing sectors, aware of the limitations and ethical principles behind the concept of privacy.
What is personal data?
The General Data Protection Law was born, above all, with the firm intention of acting to protect this category of data. Therefore, personal data must be properly defined so that we understand the object of study and debate of the new law.
Personal data are those that allow the identification of a specific person. They are assets that, isolated or crossed, allow an individual to be found and referred to. In that sense, they are unique references, which distinguish a human being from a mass of people, to allow a specific action.
A common example in Mexico is the ARCO Rights, which states that every person has the right to protect their personal information and, likewise, the right of access, rectification, cancellation and opposition to them.
In Digital Marketing, an email can be considered personal data, since it is unique and is accessed by a person with a private password. A cell phone number is also a great example. This information allows the company to speak directly with the customer and segment actions, based on an identification.
Other interpretations understand personal data as those that directly impact the individual when used for suspicious purposes. Now, if identifiable data is used for a crime, it is easy to understand how this has a direct effect on the identified person, as they become the object of the incident.
What is sensitive personal data?
In the LGPD and in privacy discussions, new categories of data have emerged. One of them is sensitive data: they are those that can be used for some type of discrimination or direct harm to the person based on judgments from a moral perspective.
As examples, we have data on political orientation, sexual life and health, biometrics, religious orientation and others. This is private data and, therefore, even more specific.
Thus, this is information that needs greater secrecy and even stricter care on the part of those who process it, according to the GDPR, as we will see in the last topic of this article.
What is anonymous data?
Anonymous data is personal data that undergoes an anonymization process. That is, they are processed to lose a direct connection with a specific individual. In this sense, data is used that does not have a specific impact on a specific human being.
We easily understand how anonymization can represent both the possibility of exploring data without having to deal with GDPR legislation and the inability to manage the data for the specified purpose. After all, data is organized in general versions, with features to prevent direct access, which can lead to the loss of the information’s value for use.
For example, for Marketing, anonymous data can help when necessary to evaluate customer profile information or understand general market trends. In the definition of Buyer Persona in Digital Marketing, for example, it is possible to conduct a general survey on the preferences, pains and habits of customers anonymously, in order to reach a specific and semi-fictional profile of the ideal customer.
In this case, it is not important to know who the customers responded, but rather what they actually said to establish the characteristics that will support the actions and campaigns. Therefore, it is easier to adapt to the GDPR, since this data does not generate as much impact for the holders.
However, when it comes to finding leads for a subsequent conversation that leads to a purchase, they are not useful. In this scenario, it is essential to have personal data and direct access.
One of the characteristics of anonymous data is precisely the ability that it cannot be reverted to personal data after a transformation process. That is, data that cannot be identified again.
Therefore, anonymous data is different from pseudonymous data. Data pseudonymization consists of anonymizing the data, but with the possibility that it may become personal again later.
Now, let’s look at some data anonymization methods to better understand how this type of information works.
Anonymization
A common type of process is one that completely transforms the data, removing links to the individual, without reversion, as we have already mentioned.
The complete removal of a column with personal information in a database, for example.
Suppression
Deletion uses fixed data to replace identifiable parts of a database. Examples include the use of asterisks or other standardized forms of data.
Generalization
Generalization involves transforming specific data into general categories to eliminate individual connections. An example of this is the transformation of information about a customer into data about a class or group (such as the classic definition of an audience).
This is a good strategy, since it allows the active use of data, without making it personal.
Pseudonymization
A common method of pseudonymization is to use a table parallel to the one containing personal data. In parallel tables, the data is anonymized, but allows a connection to the original data via a key, for example.
Cryptography
Another very popular feature is encryption. This approach is based on the use of public and/or private keys to allow access to the original data. After the cryptographic transformation, protected anonymous data is generated, which can only be unlocked with keys.
What is the difference between personal, sensitive and anonymous data?
When we put these three definitions into perspective, we can draw some interesting conclusions. Personal data is the most general, since it even establishes the main objective of standardization.
Sensitive data are different, since they are more specific and delicate when faced with a moral assessment, but they are within the concept of personnel. Sensitive personal data may involve some kind of inconvenience that can generally be avoided with personal data.
For example, someone may discriminate against a person because of their view of religion, their political preferences, or aspects of their private life. Vacant positions, projects and opportunities or confirmations in protocols/applications can also be rejected.
Security and privacy laws are very concerned about events that depend on this specific personal data. Therefore, we must be more careful with sensitive people, after all, non-discrimination is one of the principles of the law.
Anonymous data, on the other hand, can be understood as the opposite of personal data, as we have already developed here. At no point can they be identifiable again, as this nullifies the very idea of anonymity. In this sense, anonymous ones are very different from sensitive ones.
Pseudonymized data therefore falls between personal (identifiable) and anonymized data. They go through a transformation process, but it is not radical to the point of making that data impossible to reverse. Generally, they are still under the protection of privacy and security laws.
What is this data used for in the GDPR?
The General Data Protection Regulation has recently shed light on the notions of personal, sensitive and anonymous data. Likewise, it established standards and prescriptions that must be considered by all types of companies, since everyone who processes data is subject to this law.
Personal data must be processed only for legal reasons. One of them is the consent of the interested party, which must be clear, provided after demonstrating the real purpose of the use of the data.
Other requirements are:
- legal obligation,
- protection of the life of the holder,
- execution of public policies,
- credit protection,
- among others.
Sensitive data can also only be manipulated under pre-established conditions, such as studies for research organizations, exercise of rights, fraud prevention, protection of life, among others. In other words, special care is needed, according to what we have already talked about.
Anonymized data, by definition, is free of GDPR. If the data is truly not identifiable, there is no need to pay attention to the requirements of the law, since it is not personal data.
Likewise, some of the aforementioned anonymization techniques are adopted as a solution to manage the problem of adaptation to the standard.
What is much debated these days is the level of anonymization that is possible with current techniques. There are researchers who support the idea that the methods never manage to reverse this link with the original data, so they always become pseudonymous. In this case, it is essential to understand the law and comply with it.
In addition to these general considerations, the GDPR proposes some structural concerns that should be part of the company’s mindset and culture. First, it is necessary to stipulate a very specific and clear purpose for the use of the data and express it unambiguously to the data subjects. Once this purpose is established, it is only necessary to retain the data until it is fulfilled.
Another important point is free access. The owner must be free to consult his data, modify it, transfer it to other databases and even delete it at any time, even after having given his consent. This is the great differential issue of privacy laws such as the GDPR (General Data Protection Regulation) and the laws of each country for the subject: the total focus on the owner.
Currently, the following rights of the individual regarding their data are officially recognized:
- to be forgotten;
- right to information;
- Right of access;
- to request modifications to his data;
- to withdraw consent;
- right of opposition;
- to data portability.
Dedicated professional
Additionally, the company must establish an internal general authority to oversee the data, and that person must report to general and external bodies. In some cases, he is a Data Protection Officer.
In cases of incidents that involve personal or sensitive data, it is necessary to notify the owners and the main organizations, with a clear definition of the measures that will be taken for intervention. It is essential to be clear about what will be done.
If companies do not properly manage security and privacy, they may be fined up to MX$27 million pesos, or may suffer warnings and data blocking, each action depending on the level of the problem and the impact on the headlines.
In the modern data-driven world, concerns about laws and privacy must be central. After all, for a conscious and healthy use of these assets, companies must resort to the principles of the law and actively care about the rights of their customers, as this translates into trust in the business relationship.
From then on, data must be carefully managed throughout its lifecycle. It will be essential to map them by use and look for an overview of how these assets are being applied, so that a complete and safe inspection is possible.
As we have seen, the division between personal, confidential and anonymous data is fundamental to a culture that views data as assets and cares about privacy. Understanding these conceptions and their differences is the first step to adapting to the GDPR and advancing the discussion about privacy and security. In this way, the company can reduce friction in this compliance and optimize its results.
