The Deep Privacy Challenge of Doing DPIAs Well

The Deep Privacy Challenge of Doing DPIAs Well

 

Data Protection Impact Assessments are the sleeping giants that lie deep in the GDPR. Doing DPIAs well requires organizations to commit to responsible data management at a deep, deep level. That’s one of the reasons why they are so challenging.

DPIAs: Why Do They Get Overlooked?

If one were to poll a sample of business, technical, and marketing professionals on “GDPR provisions that keep you up at night,” it’s likely DPIA’s wouldn’t make the top three. There are flashier aspects of GDPR. Consent management. Right-to-object. Data Subject Requests. Since these are the elements most frequently in the headlines, they tend to take up the most space on a business’s priority list. 

But DPIA’s represent the biggest challenge to most businesses in their present state. And for that reason, establishing a DPIA process that adheres to the GDPR guidelines is a key indicator that a business is making a deep, meaningful commitment to data privacy. 

How Does A DPIA Work, Exactly?

For the uninitiated, here are the basics of a DPIA. It’s intended to let a business analyze and minimize the privacy risk from a processing activity. Under GDPR, businesses conduct a DPIA when undertaking a range of data processing activities, from monitoring public places to using innovative technologies to using biometric data. You can read more about the circumstances in which a DPIA is legally required here. 

The Assessment itself is a multi-step process that involves coordination across a number of teams. The ICO describes the following nine steps as essential:

  • Identify the need for a DPIA
  • Describe the processing
  • Consider consultation (with your Data Protection Officer or relevant authorities)
  • Assess necessity and proportionality
  • Identify and assess risks
  • Identify measures to minimize risk
  • Sign off and record outcomes
  • Integrate outcomes into plan
  • Keep under review.

 

Why DPIAs Are Such A Deep Challenge

The purpose of this article isn’t to walk through the step-by-step of how a DPIA exercise should be conducted. The ICO has already published an excellent one of those here. Rather, it’s to point out what a challenge this poses for most businesses in their present state. Put simply, if most businesses did DPIA’s the way they’re supposed to, it would result in a productivity nightmare. 

Within a modern large business, there could be hundreds of processing activities every year. Under GDPR many will require a DPIA. But the vast majority of businesses lack the processes or technology to perform them quickly; they are handled entirely manually. The result is not pretty. Members of the dev team emailing the legal department to set up a meeting where they present a proposed activity and, together, fill in half of a DPIA template form. Then a question comes up. The legal team consults with enforcement authorities for clarity, and the response takes a week to arrive. Meanwhile, developers are bottlenecked as they’re unsure whether they can proceed until getting clearance from legal. And the marketing team awaiting delivery of their snazzy new retargeting tool is frustrated. Multiply this scenario by a hundred cases a year, and the efficiency costs that a DPIA represents to many organizations becomes clear.

Conclusion: Is “Managed Risk” Actually Manageable?

Given this, it’s not surprising that many businesses opt to take a “managed-risk” view of DPIA’s. Perhaps that represents the best of a bad bunch of options. With a fully manual process, the efficiency cost of compliance can look disastrously high. 

But enforcement around GDPR is picking up. What’s more, consumers are beginning to expect higher standards of privacy practice. As time passes, the cost of DPIA non-compliance will rise steeply. And businesses that decide they can’t afford deep privacy measures today may find the long-run cost of their inaction significantly higher.

 

The Divided States of America(n Data)

The Divided States of America(n Data)

This Is Why We Can’t Have Nice Things – Like Our Own Version of GDPR.

The American Data Divide

Across the ocean, a much-publicized piece of holistic privacy legislation called the GDPR has transformed the relationship between citizens, businesses, and personal data. In 2019 it’s time to ask: why can’t the USA produce its own unified piece of federal data privacy regulation?

Data regulation in the United States is still a work in progress. At present it’s a patchwork quilt split along state and industrial sector lines, and for most consumers, it’s impossible to penetrate. Businesses are similarly hamstrung by the lack of harmonious regulation. Those that decide to play by the rules burn copious resources and frustrating man-hours just to understand what those rules are. And even after that expending all that effort, many (if not most) businesses still struggle to be compliant.

The Roadblocks to Reform

Why can’t Congress do something about it? The short answer is that there just hasn’t been enough momentum to get something passed federally. The FTC has long recommended that Congress enact a comprehensive set of privacy laws. The Obama administration, in its early days, even tabled a set of proposals for a Consumer Privacy Bill of Rights. Privacy practitioners lauded the document. But it quietly died as Silicon Valley ingratiated itself into the D.C. political machine over the first half of the decade. And although the new president is an avid social media user, the Trump administration has shown little appetite for data regulation.

It’s also possible to make a deeper cultural reading into the different data trajectories of the US and EU. The European Union has been, since its inception, a body with the power to legislate dynamically in reaction to the world around it. On the other hand, US legal and political culture remains staunchly Constitutionalist. Legislating for an issue like data privacy, nonexistent at the time the Constitution was written, can be slowed by the challenge of remaining faithful to the spirit of a document that’s over 200 years old.

The Prospects for Change

However, in 2020 there will be a presidential election and possibly a new administration in the White House. Have the dynamics changed sufficiently to inspire another tilt at federal regulation? The voting population seems more concerned than ever about the way companies use personal data. However, a vocal watchdog organization (à la MADD or the NAACP) has yet to emerge. We’ll return to this later.

The real change that’s taken place lies in the business community. Among business leaders, regulatory certainty is emerging as a key concern – even beyond getting favorable laws. Businesses just want the rules of the game to be consistent. And there’s a deeper acceptance that federal laws represent a huge efficiency improvement over the uncertainty and instability of state-by-state regulation. 

One unified piece of legislation would provide a single target on which to concentrate lobbying efforts, debate, and discussion. Consequently, many business leaders are already urging Washington to take action. Earlier this year 51 CEOs from some of the biggest tech and industrial companies in the world signed an open letter to Congress urging them to act on a “comprehensive consumer data privacy law.” 

Will Citizens Step Up?

Were it up to these business leaders, a federal data law would be a done deal. But legislators appear wary of acting while there’s an empty seat at the table. If anything is slowing federal data regulation down in 2019, it’s the lack of a high-profile citizen’s rights group that could sit down with political and business leaders and get the ball rolling.

To conclude, the landscape looks to be more conducive to a federal data privacy law in 2019. But wondering “why doesn’t it exist yet?” may be the wrong question for individual citizens to be asking. In the absence of a highly-invested consumer protection lobby in Washington DC, the correct question to ask may be: “how can we get a seat at the table?”

What’s the Difference Between Data Security & Data Privacy?

What’s the Difference Between Data Security & Data Privacy?

“Data Privacy” and “Data Security” are two terms that can sometimes be used interchangeably. Especially by those who aren’t in the field of data protection. However, in this particular sector of the industry, they mean two very different things. Understanding the relationship between them is essential for grasping the complexity of regulatory compliance. This article is a quick primer that illustrates how privacy and security differ and how they work together as building blocks of regular data operation.

Data Security vs Data Privacy

In simple terms, security means securing data against unauthorized access. Privacy is about managing and defining authorized access. Data security is a technical issue that involves building robust defense mechanisms in your digital infrastructure. Data privacy is questioning and tackling legal and legislative spheres.

One of the most important relationships to note is that data privacy pre-supposes security. The GDPR doesn’t contain prescriptive instructions for how organizations should fortify their network because the only way for its privacy provisions to get followed is with data security. If a cybercriminal steals someone’s PII, it’s evident they are violating someone’s privacy rights.

So, data privacy assumes data security. Does the reverse hold? Does data security include data privacy? No, but organizations fall into the trap of making this assumption often. In so doing, they can avoid taking necessary regulatory compliance steps.

Conclusion

It’s not enough to protect data from outside attacks. Managing and enforcing internal permissions – i.e., managing privacy – is a vital piece of the puzzle for any business to be compliant with the latest data regulation. Internal privacy controls can be complicated and time-consuming in a large company. Something as simple as employees copying files onto personal flash drives can sink a carefully constructed operation. However, the effort to keep data processes watertight is an essential cost of doing business in 2019. Moreover, the cost of failing to invest in both security and privacy can prove disastrous.