Data privacy matters. Are you aware? Are you ready?
A google search for “PIMS” gives some interesting results. While “Paediatric Inflammatory Multisystem Syndrome” ranks highest thanks to Covid-19, “Production Information Management System” and the “Pakistan Institute of Medical Sciences” make an appearance on search results. PIMS also stands for “Privacy Information Management System”, which is our focus. It is strange I could not find a single reference relating to Privacy Management in the initial search results.
Does data privacy matter?
While ‘yes’ is the obvious answer, we are often oblivious to how our data is gathered, stored and used. Personal data falls into a category called Personally Identifiable Information (PII), which is data that could potentially identify and distinguish a specific individual. PII examples include name, address, email, contact number, date of birth and passport number. Our PII is collected, stored and exchanged by hundreds of companies and their partners in the online world, often without us even realising it. The General Data Protection Regulation (GDPR) compliance regulations in the EU have enforced severe penalties on companies failing to protect or observe privacy laws, with Google fined EUR 50 million in 2019.
The data controller, data processor and the data subject
It is essential to know three roles or actors in this area. The first is the data controller, defined in the GDPR guidelines as “… a person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data. Controllers make decisions about processing activities. They exercise overall control of the personal data being processed and are ultimately in charge of and responsible for the processing”.
A data processor is “… a person, public authority or company, or other body which processes personal data on behalf of the controller rather than under their authority. In doing so, they serve the controller’s interests rather than their own.” The data processor performs the activities needed to bring about an outcome. Finally, a data subject is each of us as individuals whose data is collected and processed to bring about a result.
Privacy management is a complex topic beyond the scope of a single article. However, I would like to explore the rights you have as a person providing PII and essential considerations for companies handling such data.
Rights of data subjects/individuals
As an individual, you have the right to determine how your PII is processed. The individual providing PII must be kept aware and involved. There should be consent obtained when your data is collected and approval for it to be stored. You are also entitled to request and view the PII a company or data processor has collected relating to you.
The data processor should also provide you the means to update this information, either at your convenience or by initiating a request to change the content. You must be informed if the circumstances they hold or use your information change in a significant way and if so. Also, exercising your privacy rights should not discriminate against your access to services or pricing made available to others willing to provide more information.
Obligations of data processors
Data processors are encouraged to follow a “privacy by design” approach, where data privacy is factored in from the first conversation when dealing with PII and not an afterthought. Some of these considerations include:
- Transparency – Be transparent on why you collect the data, how it is collected, where it is stored, and its use. Based on the context, indicate the authority available to gather and process this information and conditions where it would be made available to other parties
- Data minimisation – Request and obtain only the minimal data required to perform the outcome expected. If the desired result is to generate an email with an attachment, do not ask for the phone number and NIC! The design of information collection must match the intended use of the information
- Restrict access – Restrict the access of PII to only the individuals who need to work with this data. For example, the entire organization should not view contacts in the Customer Relationship Management (CRM) system
- Data security by design – Implement administrative, technical and physical safeguards, which will restrict access and protect your data. While these activities overlap with information security management practices, measures to protect data from unauthorised access, modification, or loss must be in place
- Map data flows – Map the users and activities performed at each processing stage. Verify the model with those in data processing roles on completeness and potential risks. For example, it is pointless if access to the CRM system is highly controlled and secure, but a spreadsheet of the contacts needs to be downloaded and shared with someone else to complete the processing
- Geolocation restrictions – Comply with the regulatory or contractual obligations relating to where the data can be stored and processed. These restrictions are more relevant for FinTech applications where financial data is on the cloud
Outside of this, the organisation should have a process to deal with a data privacy breach and ensure employees know this process. Training on managing data privacy and information security should be as common as first-aid training and fire drills in companies. When there are data protection and privacy regulations in place, it is essential to inform the authorities of a data privacy breach at the earliest instance.
Facing a data privacy audit
Last August, I faced my first ISO 27701 audit, the certification for privacy information management. While I am not a stranger to audits across ISO standards, information security, or the Capability Management Maturity (CMMI) model, this was different. I had to justify what information we collect about our customers and prospects, the channels through which this data reaches us, how we obtain consent, and how we manage this data throughout our business life cycle. One thing was clear – data privacy matters and must be an area of concern for both individuals and organisations.
[The writer is the Chief Marketing and Corporate Affairs Officer at 99x and spearheads marketing activities while supporting business development and customer success initiatives. He is an accomplished practitioner with over 25 years of experience in the tech industry with complementary roles in program management and corporate consulting. Before joining 99x, he was the Executive Director of SLASSCOM. His industry experience includes banking and financial services and global IT services with Virtusa, Societe Generale (SOCGEN), Nations Trust Bank, and Union Bank of Colombo]