Data Protection by Design in Data Privacy Governance
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
In last week’s article, I gave a granular description of data privacy by design and shared the foundational principle. In this article, I focus on data protection by design.
Again, it’s worth reiterating that these concepts are nuanced in their functional technicalities and definitions. A good privacy professional or serious company should be able to tell the difference.
What makes data protection by design unique in data privacy governance? What must companies pay attention to when employing data protection by design? Data protection by design encompasses the hardware or software tools company deploy for further protections of information assets.
A company buys a software to ensure that when lateral movements or attempted intrusion hits their networks, they can detect it and more specifically, that they can carry out a root cause analysis. With this, the company can find out where they are vulnerable, understand the existing threats within their company and come up with the technical and organisational measures to contain these things when they happen.
Without these technical tools, a company will struggle to meet the much-touted technical measures and expectations in data privacy methodologies.
Each organisation in considering the amount of data protection needed for their company will consider certain elements.
First, the company must carry out a robust data mapping exercise and a system analysis to understand the state-of-the-art technology they might need to increase the securities needed for the protection of information assets. A company uses a lot of contractors who come into their physical building daily, the company employs tap-in gates to track people who come into that building. We can term this an employment of the art of technology.
Second, for any company to invest in technology, good consideration must be given to the cost of implementing such technology. Would this affect the business’ financial foundations? Quite often, when companies don’t consider the cost, they might find out that they can maintain the tool for a long period.
Another aspect companies must pay attention to is the nature of processing. When the tools are bought, what would the processing involve. Would data sets need to be classified and is there any need for data protection impact assessments (I’ve covered this in another article)? Would it further put data subjects in harm? Serious consideration must be considered before the software is launched.
What happens in most deployment of technical measures is that most companies don’t consider the scope of processing? How long does the company need the tool for and what would the purpose of the software tool be for? And after deploying, who are the individuals that would use these tools? Are they trained? A good consideration of the scope would help the company avoid waste of resources and administrative time.
Then consideration needs to be given to the context of processing. Does the company have the right technology for processing, or do they have to add other things to ensure that the new process meets required standards? Would they need to employ the software/technology in their production environment? What sort of tests would be carried out? It is good practice to understand the context before any deployment is executed.
The most important consideration would be to consider the varying likelihood and severity of risks in the rights and freedoms of data subjects. Privacy is still a business function and if deploying a new process would expose individuals to risk then the company must mitigate attending risks.
Companies, when employing data protection by design, should always give these elements serious considerations. It will help boost their data privacy governance structure, help avoid breaches and prevent regulatory fines.