The necessity of updating privacy teams
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via moshoke@yahoo.com; twitter: @moshoke
The chief product director (CPO) of Sunny and Sons Co. Ltd. completed the Data Protection Impact Assessment (DPIA) for the payment methods that his company would use in the next quarter. Various risks identified were documented, mitigated, and the outcome of the DPIA was documented, especially all stakeholders who signed off the mitigation methodologies. It was a very hard questionnaire to fill, and the CPO would not like to go through that hellish procedure. In his head, the administrative work involved in the data privacy space is just too much to fathom.
Some days later as the project launched, one of his team members walked into the office and announced that they would have to change providers for the payment interface. The initial ones have faced a minor data breach and don’t have the capacity now to carry out the promised services. A new vendor was needed now. This work colleague asked the CPO if they would need to consult with the data privacy team about this.
The CPO shakes his head. In response, he said, “it is only an addition of a third party, and they would be just interacting with our network systems to ensure that we have a seamless payment methodology. I don’t want to go through the rigours of having to go to the privacy team with this. You saw what they did with that DPIA. Please, onboard the new vendors ASAP and let us move the business.”
The colleague too was excited about this. They managed to keep this new vendor away from vendor assessment, procurement requirements and privacy considerations. Their successful manoeuvring allowed the process to begin pronto.
To make matters worse, because the privacy team was unaware of this process, they couldn’t update the DPIA. The project launched and everything was going on smoothly for some months and the process was improved. The CPO boasts that the privacy team usually blows things out of proportion even when there is no need for it. The sales were looking very nice, and the daily transactions increased.
One morning, the CPO wakes up and there are over one thousand emails in his box. He rubs his eyes with his right hand and notices that his phone is ringing non-stop. He opens one of the emails and notices a newspaper headline about his company. During investigation there was mention of the recently onboarded company but conclusions can’t be made.
The CEO sets a meeting with his CPO, operational team, and other important stakeholders. Before the meeting proceeds, the CPO receives an email from the company apologising for the breach, giving full details of where the fault emanated from and states that they were working to ensure that malevolent content is deleted immediately, and service would return immediately. The CPO walks into the meeting and admits that he onboarded a third-party company to expedite the business process and that’s where the breach emanated from.
I’ve seen many stakeholders see the existence of their privacy team as blockers. Maintaining this mentality presents two main things, it points to the level of importance the organisation places on data privacy and shows the shallowness of thought of some stakeholders. The privacy team must be updated for every project that involves the processing of personal data, as their role is to protect the business and ensure that new processes don’t risk the freedoms of customers.
- business a.m. commits to publishing a diversity of views, opinions and comments. It, therefore, welcomes your reaction to this and any of our articles via email: comment@businessamlive.com