External environment and competitive landscape | My Assignment Tutor

OverviewPrivacy by DesignHistory of Privacy Impact AssessmentsFeatures of a Privacy Impact Assessment?Why do a PIA?Features of a Good PIASteps in a Privacy Impact AssessmentSupply Chain PIAsPIA ReportsEthics & Social LicenceAPP Questions to ConsiderA Choice Privacy Invading Technologies (PITs) orPrivacy Enhancing Technologies (PETs) Privacy by Design 1960s: Developed by architecture and building firms for physical privacy1990s: Ann Cavoukian in Canada applied the concept to information privacyGoal is to embed privacy into the product and service lifecycle for businesses and governmentHas been widely endorsed by privacy regulators around the world2018: included as an obligation in Article 25 of the GDPR Privacy by Design Proactive, not Reactive; Preventative, not RemedialPrivacy as the Default SettingPrivacy Embedded into DesignFull FunctionalityEnd−to−End Security − Full Lifecycle ProtectionVisibility and Transparency − Keep It OpenRespect for User Privacy − Keep it User−Centric History of Privacy Impact Assessments Late 1960s: Fair Information PracticesThe “self−discipline on the part of the executive branch will provide an answer to virtually all of the legitimate complaints against excesses of information−gathering” − William Rehnquist 1971 (US Justice Dept, later Chief Justice of the Supreme Court)FIP concerns led to the 1980 OECD Guidelines designed to “advance the free flow of information and to avoid the creation of unjustified obstacles to the development of economic and social relations among Member countries”1995−> Privacy Impact Assessments emergeInspired by Environmental Impact Assessments“A belated public reaction against privacy invasive actions”; OR“A natural development of rational management techniques” –   Roger Clarke 2009 –   Early leaders: Canada and New Zealand 2018: EU’s GDPR Article 35 − PIAs are now mandatory where there are high risks, with fines for non−compliance Why do a PIA? Builds trust by the public and employees in the organisationReduces reputation riskReduces management timeHelps improve decision−makingReduces legal expensesMinimises probability of causing costly privacy harmsEnables organisation to demonstrate its compliance and risk maturity capabilityMinimises probability of adverse findings during an audit or regulator investigationEvidence that the organisation acted appropriately to attempt to minimise the probability of privacy harms Features of (good) PIAs Is a form of risk managementPerformed on a project or initiative (distinct from a privacy strategy)Anticipatory in nature (in advance of or parallel to an initiative − f. an audit)Broad in scope (looks also at the interests of those affected − f. an internal costƒbenefit analysis)Broad scope of analysis (not just strict compliance with legal obligations, legitimacy, proportionality, participation, ethics and social licence are also considered)Both problem and solution focusedEmphasises the assessment process (future consequences)Requires intellectual engagement from senior stakeholders (not a mere checklist)PIA Report is made publicly available, signed off by senior management (subject to any security concerns, where a summary is published)Contributes to “organisational memory” Steps in a PIA Determine whether a PIA is necessary (threshold analysis)Identify the PIA team, its terms of reference, resources and time framePrepare a PIA Plan − who does what, when and with whom will you consultAgree on the budget for the PIAProject description (link to corporate strategy, external environment and competitive landscape)Identify relevant stakeholdersAnalyse the information flows and privacy frameworkPrivacy impact analysisConsult with stakeholdersCheck the project complies with relevant legislative requirementsIdentify risks and possible solutionsFormulate recommendationsPrepare and publish the PIA ReportImplement the RecommendationsThird−party review andƒor audit of the PIA & its implementationUpdate the PIA if there are any changesIncorporate identified risks into a centralised risk registerEmbed Privacy awareness throughout the organisation and ensure accountability Supply Chain PIAs Privacy risks emerge not only within a business itself, but also within its supply chainEvidence that suppliers have undertaken effective PIAs may be requiredPrivacy officers might prioritise suppliers based upon their privacy risk profilesHigh−risk: on−site visits and privacy audits may be necessaryLow−risk: sight the supplier’s privacy or infosec policies In the EU, “High risk” business strategies have two of the following features: evaluation or scoring, including profiling and predicting;automated decision making with legal or similar effect;systematic monitoring including of public accessible areas, in particular where there may be a lack of awareness of the monitoring;processing of sensitive data, which in this context includes not only data defined as “special category” data under the GDPR, but data which may be generally considered as increasing possible risks individuals eg, financial data that may be used for payment fraud;large scale processing, which should be considered by reference to factors such as the number of data subjects (whether the specific number or the proportion of a relevant population), the volume and range of the data, the duration or the permanence of the data and the geographical extent of the processing;data set matching or combinations;processing of information in relation to vulnerable data subjects where there is an imbalance of power between the controller and the individual eg, children, employees or vulnerable segments of the population such as asylum seekers;innovative use of technological organisational solutions such as biometrics or the internet of things;cross border transfers taking into account the country of destination, the possibility of further transfers and the likelihood of transfers based on derogations rather than exemptions; andprevention of exercise of rights or the use of a service or contract eg, credit reference screening (which would also come under the evaluation or scoring category) resulting in an individual being denied a loan PIA Reports Sets out: The scope of the PIA undertaken and its methodology;A summary of the consultative processes undertakena description of the projectA map of the information flowsAnalysis of the privacy issues and risks arising from the PIA, (including compliance, ethical, social licence and best−practice perspectives)Recommendations to manage identified privacy issues and risksThe business case justifying privacy intrusion and its implications, where treatment or mitigating access has not been recommended andƒor agreed (if any)A description of agreed treatment or mitigating actions together with timelines for implementationReferences to relevant laws, codes and guidelinesWhen the most recent privacy review was undertaken Adding in the assessment of ethical considerations PIAs should not just be about compliance with the law (i.e. getting away with as much as the law will permit you to do)Ethical analysis is a process which considers what you should or should not do, rather than just doing whatever the law permits you to doIs this the right thing to do for our stakeholders, rather than just for ourselvesƒ our shareholders? Social Licence A concept developed in the mining industryMetaphorical, not legal‘to go beyond compliance to mitigate social and environmental harm, or even to effect benefits’Think of the broader privacy ecosystem − situate the project within that ecosystem and show how it will make the ecosystem healthierWhat actions will minimise community stakeholder resistance to the project? What are their ‘pain points’?Should not be a “political licence to operate” APP questions to consider Not every APP will be relevant for every project, but all 13 of them should be analysed to determine if they are relevantOAIC Guide to Undertaking PIAs (2014) sets out basic questions to ask − adapt and extend them to suit your needs


Leave a Reply

Your email address will not be published. Required fields are marked *