Creating an information privacy conscious product and service
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
There seems to be a rush to create online businesses as the pandemic reveals the obsolete processes present in most companies. Many companies are in a rush to create an online presence online to meet customers’ needs. However, without paying attention to two essential things most companies would be exposed to dangers.
What is the thing they need to pay attention to?
It is essential to pay attention to privacy-by-design and privacy-by-default. These concepts should be embedded in a well-documented data protection impact assessment(DPIA). I know these concepts might seem complex but I have defined them in past articles. In this piece, I will explain these concepts further with a working example.
Let us assume Company XYZ found a better way to serve their customers using facial recognition tools for verifying customers and as part of their know-your-customer framework.
Company XYZ’s Chief Privacy Officer must ensure she protects the company from potential breaches. Some questions must be asked about the product.
Before launching the new process, initial assessments must be carried out to gauge whether or not the product might present some privacy risks. Therefore, the company must identify the need to carry out a Data Protection Impact Assessment where they should describe in detail the nature, scope, context, and purposes of the processing. Here the company needs to present the end-to-end picture of how data would pass through this new system.
Company XYZ must assess the necessity of the process then consider whether the new service is in proportion with their deliverables. That is, is the process really necessary to deliver the service and put into consideration what the compliance measures they have in place.
It is important too that the company identifies and assesses the risks to individuals. For example, what are those risks that customers would be exposed to when they use their facial recognition tool for purchasing their services? How long will these facial tools be kept? Where will the data be kept? Do they have policies in place explaining these things? If it’s going to be kept with a third party, has due diligence been exercised? Working with members of the IT department, the chief privacy officer, must identify any additional measures to mitigate the existing risks.
What is a more important step is to carry every member within the product development—product owner, business analysts, IT experts and privacy professionals—along in the process of creating this new tool and ensure that there’s a detailed plan to train the members of the staff about the new service.
Although the new Nigerian Data Protection Regulation does not go into full details about privacy-by-design and default. These are important steps and initiatives in ensuring technical and organisational measures are put into consideration before the launch of any product or service.
Putting privacy-by-design in place shows that Company XYZ understands the importance of creating a privacy-conscious product and service. While the privacy-by-design ensures there is a system put in place for the protection of data. This includes carrying out quarterly or monthly audits of systems in place. The process of auditing the system becomes a default practice in the company.
Companies must enjoy putting these concepts into practice before launching products as this will help them mitigate risks and protect the freedoms and rights of their customers.