Choosing the Right NDPR Technological Stack
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
Without a doubt, a robust NDPR framework must contain a technological stack. These stacks play an essential role in the general makeup of any data protection scheme. First, it simplifies the management of any data protection framework and second, it allows people within the business to carry out their work effortlessly. But getting it wrong might be costly and may impact the company’s business process.
Stakeholders must pay attention to critical things before getting their technological stacks. Before I delve into what steps stakeholders should take, I would like to create a scenario.
The sales department in a particular company uses a web scraping tool to get personal information of potential clients from the internet. After their data protection gap analysis, they find out that the software will expose the company to potential data privacy breaches. They stopped using the tool. However, some sales reps in the company think data protection laws shouldn’t affect their earnings.
The sales manager warned the sales reps, and even the chief financial officer stopped paying for the tool. But these sales reps were young and wanted results. Some of them continued using the device and exposing the company to a potential breach.
The sales manager found out that some of his sales reps were still using this scraping tool. To find out who this particular individual or set of individuals were he decided to place a monitoring tool on each sales rep laptop without informing them. He finds out the culprits and wants to carry out punitive measures against the sales reps.
The culprits fought back and argued that the company intruded in their privacy.
It’s an exciting story as the sales rep won the case in court. The judge deemed the intrusion imprecise and that the company should have informed the sales reps about the new tool.
There is a lesson here. Just because software or technology will help you carry out your work doesn’t mean it’s safe to do so.
Before you gather your technological stack or introduce new software to your unique business process, the first step is carrying out due diligence. In the early stage, the company wants to know the history of the software company, you want to understand what the company stands for and you want to read their various policies, check reviews online, and you want to have enough information to inform your decision.
Also, before buying the tool or introducing the process, you want to carry out a Data Protection Impact Assessment(DPIA). In this step, drawing from the scenario above, our sales manager would have been able to identify the existing risks before employing the monitoring tool. The DPIA will help the stakeholder know whether or not the device is right for the business process (I have talked extensively about the DPIA in previous articles). The results from a DPIA can save a company from further breaches. It can help the company discover other technical gaps in the new tool. It’s good practice for a stakeholder to trigger a data protection impact assessment before getting any device or adding new processes to the business.
The stakeholders must ensure that the technical and organisational methodologies of the tool meet the confidentiality, integrity and availability criteria. In other words, the new device or software must be a tool that doesn’t expose the company to further breaches or puts the life of their staffs and customers in danger.
It’s illogical at any point to make rushed decisions about the technological stacks needed for the protection of data and information assets.