Does the use of SMAC change anything in the data protection world, or does it just increase the risk of a compliance breach?
By SMAC, to be clear, I refer to the convergent technology of Social media, Mobility, Analytics and Cloud which we are told gets us to the “post-digital era”. This technology enables collection and analysis of mass data through the use of mobile devices, social media sites, sophisticated analytical tools and easy and cheap cloud storage. It can be used to gain better understanding of customer motivation. It can also be used by HR to support Human Capital Management.
SMAC, it is said, can move HR from the background of a business to its strategic foreground by helping guide strategic decisions, and by advising particularly on such things as talent management, productivity and workforce trends. SMAC is usually an outsourced service.
What, if any, specific data protection issues arise with SMAC; issues that didn’t necessarily apply in the apparently now over “digital era”?
Data protection rules
Data protection rules started in Europe and have spread around the world. There are some relatively minor variations between countries and regions but the basic principles are replicating everywhere.
The rules cover the “processing” of “personal data” and “sensitive personal data”. Personal data is data from which a natural person can be identified. “Sensitive personal data” is what it says and covers information such as ethnic origin, health and sexual orientation. “Processing” covers more or less anything that can be done to data. Fully anonymised data is not “personal” and is therefore not usually regulated. However, technology is making anonymity harder to achieve.
Impact on SMAC
Some of the globally-replicating data protection principles are set out below, together with their impact on SMAC users:
Purpose: the personal data must be collected/processed for a legitimate purpose known to its owner (i.e. the data subject) and the data collection/processing should be limited to what is necessary and appropriate (i.e. proportionate) for the stated purpose (including length of retention, accuracy, updating etc.).
SMAC issues: These rules can be challenging enough for small amounts of data but are significantly more so when it comes to very large volumes. There should be internal processes and audit trails to ensure that only appropriate data is placed in SMAC, the data is used only for the stated purpose, the use is proportionate and appropriate and the data is deleted when no longer needed.
Consent: the consent of the owner is required unless one or more of the specific exemptions apply (such as that it is needed to carry out a contract to which the owner is a party); owners have rights to know what personal data of theirs is retained and to have access to it; owners have rights to require amendments to their data and to require its deletion.
SMAC issues: Employers need to ensure that employee consent to the use of SMAC is either not needed or has been obtained. Processes should be in place to enable the employee to exercise access rights and rights to amend or delete data.
Security: appropriate steps must be taken to keep the data secure from theft, unlawful use, loss, damage or destruction.
SMAC issues: critical to compliance is the considered choice of the SMAC service provider and the careful wording of the outsourcing agreement, covering issues such as level and form of security and rights to inspect and monitor.
Safe Transfer: data must not be transferred (except with consent or unless another exemption applies) from the country where it was collected to a country where the rules on data privacy do not provide adequate protection to data owners.
SMAC issues: SMAC tends to use the cloud. Therefore the employer must ensure that the use of the cloud does not breach the local data transfer provisions. In the case of EEA countries this may be a case of using cloud servers located within the EEA or it may be a question of using EU-approved model clauses, as in the case of Microsoft’s cloud service agreement. If the servers are in the USA, the Safe Harbour provisions may apply.
While SMAC is very clever and may even be disruptive, at heart it remains a tool for processing data. As such the existing data protections rules apply as before. SMAC users must consider what specific processes need to be in place to ensure data privacy compliance.