I’ve been trying some different privacy assessment methodologies
recently, as I’ve been trying to work out for myself just what I want to get
out of the exercise. If those writing the Regulation have their way, an awful
lot more of them will be getting done.
But just like the phrase “privacy by design”, a PIA is a term that could
mean any manner of things.
Is it just a way of ensuring that whatever initiative I’m
assessing is actually legal?
Or is it a way of ensuring that the initiative I’m assessing
is actually acceptable from a corporate reputational view? Or that the
individual will like it?
Try as I might, the guidance on the ICO’s website isn’t that
easy to remain engaged with. And I’m not sure that the ICO’s focus is
necessarily where I want to focus my assessments.
In a nutshell, the ICO’s guidance helps me consider whether
the initiative is legal, in that it makes me ask myself (and answer) a heap of questions
about precisely how each of the Data Protection Principles are engaged, without
directly asking me to consider the amount of harm that might be caused to an individual
if the initiative were to encounter any sort of breach.
Instead of following the ICO’s methodology (which, thank
goodness, it will be changing shortly), I’m trying out an alternative approach,
which places much more emphasis on privacy risks from the individual’s perspective. Yes, of
course it also assesses the risks associated with non compliance with the DPA and other
privacy laws, but by looking at things from the perspective of the person who
will complain when something goes wrong, the likelihood of them suffering harm
as a result of the initiative becomes more obvious.
This methodology is being pioneered by the mighty Chris
Pounder, of Amberhawk fame. As I’ve played around with his method, the
potential legal snags and harms that may be suffered by an individual have been
easier to spot. His method is also easier for businesses to use. Project mangers
(or others with specific knowledge of the initiative) explain what they are
doing, and provide factual information on a form. The form that the project managers
see don’t contain inaccessible data protection jargon, but the interviewees will
need a bit of help filling in the answers, as the forms ideally need to be
tailored to the specific circumstances of each initiative. Then, the Data Protection Officer can apply their
own knowledge and experience to make the relevant impact assessment, and to
highlight ways in which risks could be reduced, if they were deemed to be unacceptably
high.
None of this stuff is necessarily easy for the untrained DPO,
especially when it is evident that the client is not too sure what it is that
they need to do to achieve their goal, but they just want to ensure that
whatever they are doing is lawful. There’s not a lot of point in commencing a Privacy
Impact Assessment on an initiative which basically states that a company wants
to maximise the value of its customer and marketing database. It helps when the client has a reasonable idea
as to how it will maximise the value, and who it will work with to exploit the value
of the information it has, and what other partners it will work with to augment
its own data with other types of data that are commercially available.
For those that are sufficiently interested, Chris Pounder
will be teaching another group of people how to dance his PIA Tango in London on Tuesday
9 July. If I were you, I would seriously consider going along.
Credit:
Image credit:
.
Posts
