Embedding enhancing technologies in data privacy framework
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
In any data privacy framework, most companies use different approaches to set controls. These include policies, procedures, and at other times, they employ technical solutions. Privacy Enhancing Technologies (PETs) fall within the spectrum of technical solutions directed towards managing or mitigating data privacy risks. What are privacy-enhancing technologies?
According to the Information Commissioners’ Office (ICO), PETs are technologies that embody fundamental data protection principles by minimising personal data use and maximising data security and empowering data subjects. They are basically linked to the concept of privacy by design and the application of technical and organisational measures most companies usually allude to in their privacy notice.
PETs play significant roles. For example, a company wants to collect data from their customers through their website for analytical purposes. However, they want to collect only the information needed for that processing activity, which includes verification data. They would also, after the individual logs in, monitor activities on the site. Before launching the product, one of the developers opines that an email address is sufficient data needed for the processing activity.
One brilliant company that has displayed the use of PETs in modern contemporary times is Clubhouse. To join Clubhouse, all you need is your telephone number, they send you a one-time password and easy, you are in the house. There is no need to collect your name, address, etc. They must have thought of the process and concluded on what personal data is needed for one to join. That’s a clear display of PETs methodology.
PETs can help companies demonstrate that they are complying with data minimisation principle, providing appropriate level of security, aid implementation of robust anonymisation or pseudonymisation solutions and more importantly, PETs can minimise the risk that arises from personal data breaches by rendering the personal data unintelligible to anyone not authorised to access it.
As anything, the use of PETs presents its own attendant risks which include, the lack of maturity in terms of their scalability or availability, lack of expertise or mistakes in implementation. For example, a company buys Amazon Cognito to monitor access control to their mobile apps but lacks the resources to work with that service. The purchase of that Amazon Web Service becomes irrelevant.
There are different types of PETs and stakeholders must understand which one works for their organisational type. Several categories of PETs can help reduce the identifiability of individuals to whom the data the company is processing relates, others can help you focus on hiding and shielding data and others can help you split off control access to personal data. All these help companies demonstrate the security principle in their data privacy.
Before using any PETs, it’s good practice to carry out Data Protection Impact Assessment (DPIA) as a useful tool that can guide considerations, especially when the process involves large-scale collection and analysis of personal data. As organisations scale, there is the dependence on the use of data, wise organisations will begin to employ the use of PETs to set appropriate controls and employ the security needed in protection of their information assets.
- business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com