By now you’ve all heard about GDPR and how it affects just about everything you do with data. The sad thing about it is that the bulk of it is really all common sense when it comes to the use of Personally Identifiable Information (PII). Of course, we all know that common sense isn’t very common either…
I received an email from a recruiter the other day which brought privacy matters back into my mind again. I’m used to getting various emails with all sorts of different job opportunities or even just introductions. This one though caught my attention. It wasn’t the email content, or the job opportunity (it was actually saying that there were possibly multiple openings all over the place and I could pick and choose), or even the awful formatting that it was in (please stop copying content from Word, complete with random bolding and highlighting, into your emails without reformatting it!). It was the email distribution list. Instead of relying on an email service, or even adding multiple emails in the BCC line, this recruiter added 207 emails to the CC line…
Is my email PII? The US Department of Labor says it is (and the EU’s GDPR legislation agrees).
Further, PII is defined as information: (i) that directly identifies an individual (e.g., name, address, social security number or other identifying number or code, telephone number, email address, etc.) or (ii) by which an agency intends to identify specific individuals in conjunction with other data elements, i.e., indirect identification.
– US Department of Labor
I emailed this recruiter back, chided them for not respecting my privacy, and due to that requested that they remove me from their system and to never contact me as since I could not trust them with something as simple as an email address, how could I trust them with client confidentiality and any other information I might give them? I did get an apology from them along with a promise to remove me. Who knows if they really deleted me or not…
I know I was making a bit of a mountain out of a molehill. At the very least, it could have turned into another Replyallcalypse with a flurry of resumes and queries going out to everyone. Worse would be someone using that list of CC’d emails to attempt to access our various professional and social accounts and such. Enough of the speculation though. After all, common sense says that “this information wasn’t meant for me, so I should ignore and delete it.” Right?
As an engineer, privacy is critical. You should only be looking at the specific data you need to complete your task (such as fixing a bug that happens only to User X). If you’re using data to achieve a larger task in the system, you should only be referencing the data you need for the task (no more “SELECT *” SQL).
As a manager, privacy is no less important. You’re the next layer of privacy defense, helping to ensure that your team is producing privacy compliant software, regardless of if it is GDPR, HIPAA, PII, or just plain common sense.
Avoid The Replyallcalypse and keep your employees’ and customers’ data safe; only use what you need, when you need it, and avoid the CC field at all costs. You don’t want data loss to be yor folt…