Privacy functioning across disciplines
Personal data is now widely used by organizations across the public and private sector to provide better personalization of services and to give organizations competitive advantage. Because of this, protection of personal data has become a vital aspect of digital security in order to maintain the trust of consumers and citizens.
If consumers believe their data is not being appropriately managed, they could withdraw the right for organizations to use it. This debate is currently ongoing in the UK with patients now given the option by the National Data Guardian to opt out of sharing their data with the NHS. This move came as a result of citizens not trusting that the appropriate privacy measures were in place to secure their data and anxiety over its ability to be sold or shared with third parties. Privacy must be considered as a vital ingredient to business strategy, which means it needs to be understood from board level to operations within an organization. It can no longer serve as a function that sits solely within legal and compliance, it must be cross- discipline and its importance must be understood by all.
Putting privacy at the heart
Understanding data classifications and how it must be stored and processed is a vital aspect of maintaining its integrity in accordance with privacy laws. This requires having the right processes, tools, and technologies in place to encrypt and safeguard to the right level.
The introduction of GDPR recognized that digital transformation brought increased complexity to the area of privacy and Article 32 requires Data Controllers and Data Processors to implement technical and organizational measures that ensure data security appropriate to the risk presented by processing personal data.
Privacy must be built into digital security planning with privacy by design principles in place and data privacy impact assessments as standard. There must be an awareness of what data is being held, how sensitive it is, and what the ramifications of any data breach would be. Under GDPR, there is a 72- hour timeframe in place for reporting a data breach to the Regulator. An understanding of what constitutes a serious data breach and what needs to be in place to manage any fallout should one occur needs to be in place, preferably at board level or with direct access to the board if necessary.
For this, a data management playbook that roleplays the management of a serious data breach can be useful. You cannot wait until something happens. You need everything pre- prepared in your back pocket to manage any breach should it occur. The hours following a breach are critical to organizations to limit any fall out and damage. Maintaining a relationship with consumers who are giving organizations access to their data is absolutely vital, knowing how and when to communicate is key. There has been an increase in public prosecutions for data breaches and this has the potential to become a serious issue for organizations. Law firms have identified this risk as a new revenue stream and, in some instances, they are chasing and encouraging consumers to bring privacy cases against organizations.
The role of privacy in ethical design
Developing ethical frameworks and standards must be the next step in ensuring privacy laws are not only followed but also improved upon and future-proofed. This is particularly important as the use of technologies such as artificial intelligence (AI), machine learning (ML) and automation have the potential to unwittingly cause harm.
Atos leads the way in ethical design principles for digital, having enshrined the concept within its raison d’être. Working with competitors and the European Union on developing ethical frameworks for design is an ongoing workstream.
If you look at the origins of privacy,
it was brought in after the Second World War to guard against abuses by any authoritarian regime. The right of citizens to know their data is not going to be used in a way that has the potential to harm them is vital. The data genie is out of the lamp, we cannot put it back, but we can guard against misuse of the power it brings.
According to Gartner, privacy is no longer “just a part of” compliance, legal or auditing, privacy is becoming an increasingly influential, defined discipline of its own, affecting almost all aspects of an organization. As a rapidly growing stand-alone discipline, privacy needs to be more integrated throughout the organization.