Belgian DPA recommends taking 13 steps now

The Belgian DPA (hereafter referred as CPP, to reflect its official name, Commission for the Protection of Privacy) has issued GDPR-preparation recommendations in the form of 13 guidelines for companies processing personal data. The English-language summary below is taken from a law-firm website (link) (the originals were issued in French (link) and Dutch (link) only).

The good news is that the CPP has now set some priorities, giving data controllers and processors an idea of what the auditors will be looking for in the early days after the GDPR’s effective date. The bad news, at least as I see it, is not only is the guidance mostly vague, but also that there seems to be an embedded assumption that all of this is feasible within a short time frame. Continue reading “Belgian DPA recommends taking 13 steps now”

Sensitive data combinations

This post is my first attempt to tackle the thorny issue of data which is not core personally-identifiable information (PII) but which, in some combinations, is enough to identify an individual. I’ll call this type of data combination-PII (or combo-PII), and such a combination in a specific search a ‘profile’, for this purpose of this discussion.

Combo-PII is reference data that describes living persons

This type of data is usually called ‘reference’ data by database specialists. This is the background data that structures our picture of a person using categories, such as the city and country we live in, our age range, consumer choices (e.g., electricity provider), and similar data. Each of these values, taken by itself, is not enough to identify a person. Many such values taken together can, in some cases, either identify the data subject with certainty, or narrow the number of possibilities enough for subject to be guessed, or combined with other data to produce a match. Continue reading “Sensitive data combinations”

The Data Inventory, Part 1

Let’s get started on something concrete. One of the first things you’ll need to launch your privacy-compliance effort is an inventory of what data you are currently storing. This inventory will be at the core of your efforts, and will be the reference point for stakeholders. In this article I suggest a basic approach to get started using a single table. Future posts will add more tables to provide additional information, so that in the end we have a small schema for our inventory.  Continue reading “The Data Inventory, Part 1”