We live in an era that exploits artificial intelligence, connected devices, smart appliances and other gadgets that are indeed delivering great value to humanity. However, we are often not thinking about the basis for this transformation – data. Without data, humanity would be unable to evolve. Therefore, we must protect it adequately, to continue its best use – now and in the future.
The fantastic advances in the field of electronic communication constitute a greater danger to the privacy of the individual.
Think about the ways information was persisted and conserved between generations and how this evolved until the 20th century. From the first cave paints, through Mesopotamian clay tablets, Egyptian Papyrus, paper, punched cards, magnetic records, laser engraving to clouds. Now think how everything changed in the last 100 years. What about the last decade? Can you already spot some similarities and differences?
The problem they had 1000 years ago and the challenge we face today is practically the same. Data is valuable; data is information, and it is knowledge. Because humans love data so much, we like to keep it for ourselves. Our data must be protected, keep its integrity and be available when needed. Back in the days, it was far easier to protect data; it was tangible. Easy to hide and dispose of. Now it is digital; you cannot touch it. It is harder to preserve something you can’t see and hold in your hands.
A global commitment to protect the citizens’ data
Governments worldwide have acknowledged that data privacy is a fundamental human right, and thus they started regulating this domain back in the 1970ies. This is an ongoing process that follows the technology around data management with a certain delay. In past years, Europe became the leading force by replacing the Data Protection Directive with an up to speed GDPR. We as data subjects are now clearly in the centre, and our rights are protected more than ever. Therefore, all organisations that control and process data about us (European citizens) must guarantee GDPR data subject rights or face enormous fines. No one likes to be fined, right?
A proactive approach to secure data processing with Data Protection Impact Assessment – DPIA
The EU decided to put constraints on data governance and lay down guidelines for companies on how to become GDPR compliant. As recognition of the problem is the first step to the resolution, it is strongly suggested to recognise the information governance exposure by performing an assessment of data managed and the basis for its processing. When possible, the organisation should assess this before developing any solution (digital, analogue or hybrid) that collects personal, sensitive or PII data. This crucial activity is called Data Protection Impact Assessment – DPIA.
With a thoroughly performed and maintained DPIA documented outcomes, we can protect data subject interest and limit our exposure to risks.
Why should DPIA be the first step in resolving the data problem?
First of all, if organisations do not know what you do with data, it is almost certain that they cannot protect it adequately. Secondly, the qualities of a solution or service (such as performances, usability, ease of use, etc.) are hard to be retrofitted which is even a more demanding challenge for privacy and data security. The source of fundamental requirements for any solution or service are the answers to the following questions:
- Where is data coming from?
- Who is controlling and processing data?
- Where is data going to be stored?
- What entity is sending the data?
- How is the data collected and on what legal basis?
- Are the EU and non-EU personal data being mixed/merged/augmented?
- Is data leaving the EU?
Therefore, it is crucial to get the answers by performing the DPIA as soon as possible.
The DPIA homework done right will safeguard you from future data risks, why to fear it?
Many companies, especially smaller ones or mostly data processors, don’t often conduct a DPIA, because their activities don’t strictly fall within the specific EU Data Protection Board (EDPB) guidance. There are concerns that by conducting a DPIA it might somehow open up an organisation to additional liability, they are hard to be performed and costly. This is why, DPIAs are underused when it comes to building data privacy into a solution.
The “Schrems II” decision opened Pandora’s data transfer box outside the EU after the Privacy Shield was invalidated. Today, organisations that had not conducted the DPIA in the past are in deep trouble because they might not have the answers to the core questions above, let alone who owns companies that access their data and where they end.
It is beyond a doubt that all our knowledge begins with experience.
Yes, we do have a big challenge, but do not fear the unknown, be brave instead. From our own experience, the first step is the biggest – recognising the data problem really exists. From that point on, it is just putting the puzzle together, asking the right questions, finding the answers and assessing the adequacy of data protection measures and privacy protection.
At Parsek, we had proactively implemented the Privacy By Design Framework years ago, and thus GDPR didn’t discover any skeletons in our closet. It is truly in our culture to ask “the 5 Whys” when designing solutions that can represent privacy risk for the citizens.
If you still find it hard to confront the DPIA, please feel free to ask us for advice and guidance on privacy@parsek.com, as it is our best interest to protect your user privacy.
Miloš Cigoj,
Head of Quality and Compliance