Data privacy and data security are considered by many to be interchangeable. Security and privacy pros know very well that this isn’t the case. Sometimes, despite providing buyers and customers with all the information they need to make a buying decision, unavoidable privacy questions come up that security pros should know how to answer.
During a recent call with our friends at DataGrail, we discussed some of the privacy questions that SafeBase’s customers receive the most often from their customers.
SafeBase empowers companies to develop customer-facing Trust Centers that automate the security review process between buyers and sellers and reduce security questionnaires.
DataGrail shares the same goal of helping customers build trust with their consumers with a focus on implementing and managing comprehensive data privacy programs.
Together, we came up with six of the most frequently asked privacy questions that security pros struggle to answer, what those questions mean, why customers ask about them, and where you can find more information about the answers. Understanding these questions helps security teams not only respond but also craft a Trust Center that can more accurately represent the company's security posture.
A note: Security pros receiving these questions should certainly read through the below, but we highly advise consulting with your general counsel or legal team before taking any further steps.
1. Is your organization fully GDPR compliant?
What It Means: The European Union’s flagship General Data Protection Regulation (GDPR) is a comprehensive data privacy law setting a high standard for protecting individual privacy rights and freedoms that applies to any organization servicing customers, targeting advertising, or operating in the EU.
Why They’re Asking: Customers asking about GDPR compliance are usually involved in European business operations and may have received the question themselves. Becoming fully GDPR compliant can be complex and require a lot of work, and noncompliance penalties can take a heavy toll.
A note that it’s important to remind customers they should ensure any third-party vendors they work with are also compliant with GDPR if they’re processing sensitive data on the customer’s behalf.
2. Is your organization subject to other privacy standards that aren't as common as GDPR like individual state laws, FISA, FERPA, and others?
What It Means: This question is extremely broad and likely should not be answered with a universal response. It’s important to remember that beyond the GDPR, many countries have different, nuanced privacy laws with specific applicability thresholds.
Further, while the United States may not have a comprehensive federal privacy law, organizations operating in states like California, Virginia, Colorado, Texas, and others may be subject to state-specific privacy laws. Specific businesses will also be expected to comply with U.S. federal privacy laws related to specific groups like the Children's Online Privacy Protection Rule (COPPA) or the Health Insurance Portability and Accountability Act (HIPAA).
Why They’re Asking: Customers asking this question are usually operating in many different regions around the globe, or looking to expand internationally. Answering in one broad stroke without understanding the specific regulations in question can put your customers at risk.
More Information: Regardless of the regulation your customer is curious about, they need to meet applicable jurisdictional compliance requirements in the regions they operate within. DataGrail’s glossary and blog are solid resources to start searching for more information about specific data privacy regulations.
3. Does your organization handle sensitive information/data?
What It Means: Most companies collect and hold personal information from their customers, but adding the word “sensitive” into the mix can raise alarms. Think of it like this: All sensitive personal information is personal information, but not all personal information is sensitive personal information.
Various laws may define personally identifiable information (PII) or personal information differently, but generally, it’s data that identifies, describes, or is otherwise associated with a unique individual. Different laws will also define sensitive and non-sensitive personal data differently.
Click here to learn about what the California Consumer Privacy Act (CCPA), for example, lists as types of sensitive personal information. A few categories include social security numbers, financial account information, and precise geolocation data.
Why They’re Asking: While it’s important to protect the privacy of any information you collect from consumers, employees, or others, the privacy stakes are much higher when dealing with sensitive information.
Privacy violations involving sensitive information render individuals much more vulnerable to things like identity theft, financial fraud, and reputational damage. These violations are likely to result in a consumer’s complete loss of trust in the company that put their information at risk, along with possible legal issues.
Additionally, third-party vendors that handle and process sensitive data on a company’s behalf may be considered higher risk and should be held to a higher privacy standard than vendors processing non-sensitive data.
More Information: Check out these DataGrail blogs for more information.
- What is Sensitive Personal Information?
- Personal Information and Identifiability (PD/PI/PII) Explained
4. Does your organization share data with customers?
What It Means: This question’s phrasing is very ambiguous. It’s important to make sure you completely understand what “data” the customer is referring to, specifically. SaaS solutions often supply customers with data in the form of analytics to ensure proof of progress and ROI.
However, if a customer is asking whether you share data in the form of data sales or shares, or act as a data broker, you can refer them to your privacy notice which should cover this information. Privacy notices are likely to be housed within your company’s Trust Center.
Why They’re Asking: Data is an extremely valuable resource and presents a high risk if it falls into the wrong hands. It’s understandable for customers to be curious about how you’re managing and protecting their data and the data of their customers.
Further, if your customer acts as a data broker, their customers may be asking to understand the regulatory responsibilities they inherit when dealing with brokered data. The answer in this case will depend on which jurisdiction your customer operates in, and the contracts they form with their customers or third-party vendors.
More Information: This question may also stem from your customers wondering if you act as a data controller or a data processor. Read about the difference between the two here.
5. Does your organization anonymize or pseudonymize data?
What It Means: Certain data privacy regulations call for the anonymization of data, which refers to the removal of identifiers from sensitive personal information. A good way to think about this comes from Mike Chapple’s IAPP CIPP/US Certified Information Privacy Professional Study Guide: “Information is not personal information if it does not provide a way to identify the person that the information is about.”
Anonymizing data isn’t always about meeting legal requirements. In the course of implementing and practicing data minimization, de-identifying and anonymizing data can be a great way to keep sensitive information safe. Check out this Google Privacy & Terms webpage that outlines two of the ways Google anonymizes its data: Data Generalization and Differential Privacy.
Why They’re Asking: Depending on the type of information you’re dealing with, you may need to anonymize data per requirements for HIPAA or FERPA. If your customers are dealing with federal privacy laws requiring anonymization, it’s safe to assume that their legal team should get involved.
However, it should be noted that companies looking to build brand trust and loyalty may want to consider data anonymization as a data protection and transparency tool, somewhat similar to deletion.
More Information: Read this portion of our blog on implementing data minimization to understand how anonymization can help, or follow this link for a quick recap on a recent de-identification session from RSAC 2023.
6. Does your organization conduct automated decision-making?
What It Means: This is another area that may require some specification. It’s fair to say that most businesses in the modern world use some form of automation and, as a result, conduct automated decision-making.
However, the California Privacy Rights Act’s (CPRA) amendment of the CCPA introduced specific messaging concerning businesses’ use of automated decision-making and related consumer rights.
One example could be a company’s use of automation to build customer profiles based on collected personal information. The California Privacy Protection Agency (CPPA) is developing rules and guidelines relating to automated decision-making disclosures and opt-outs. It’s important to track privacy industry news to keep on top of shifting regulations like this.
The GDPR’s automated decision-making guidelines (Article 22) are more concrete, but, at the time of writing, we haven’t seen publicly viewable enforcement of the rules. We could have more clarity on Article 22 enforcement soon: Two referral cases, one from Germany and another from Austria, await the Court of Justice of the European Union’s (CJEU) review.
Why They’re Asking: It’s somewhat difficult to say without more context. It may be the case that your customers have also been asked this question. If they have, it can be beneficial to ask for additional details and information to ensure you understand the question and provide an accurate answer.
That said, they may also be dealing with California-based customers who now have specific, automated decision-making rights:
- The right to access information about automated decision-making
- The right to opt out of automated decision-making
More Information: Read up on CPRA’s new automated decision-making consumer rights and what they may mean for your business at this link. If you’re interested in exploring automated decision-making as it relates to the GDPR, check out this deep dive from the Future of Privacy Forum.
If you’re interested in continuing your privacy and security journey, DataGrail and SafeBase are standing by in support. Head to datagrail.io for more information about how you can make privacy your business differentiator.
SafeBase is the scalable Trust Center that automates the security review process between buyers and sellers. With a SafeBase Trust Center, companies can seamlessly share sensitive security documentation with buyers and customers, including streamlining the NDA signing process by integrating with your CRM and your data warehouse.