Category Archives: Privacy

Assessments are the Hub of a Forward-Looking Data Protection Program

The term assessments appear a great deal in IAF work. We have written about comprehensive data impact assessments, ethical assessments, digital marketing assessments, Canadian assessments and legitimate interests assessments. All these references are part of the same theme; a family of comprehensive assessments of how data is used and how it impacts individuals is necessary to determine if processing is legal, fair and just.

From the earliest days of privacy, there has been an implied requirement that organizations know how they are going to be using data so they would be able to describe the use to individuals. In the 1970’s, the implied requirements were not hard. Prior to data base technologies, data was typically collected and used for specific, straight forward purposes.

By the early 1990’s, information aggregators, such as TRW Information Systems and Services and Acxiom, were beginning to use data for numerous purposes, and the first privacy impact assessments were developed. They were not developed in response to data protection law but rather to avoid reputational risk for the companies involved.

Privacy by design, as a governance discipline, required organizations to fully understand what they were doing with data and why. The growth of accountability based governance did much the same. FTC consent decrees requiring privacy management programs accelerated the assessment process. Canadian regulators took this to the next level with guidance on privacy management programs.

The General Data Protection Regulation, that goes into effect in exactly a year, has made the requirement that one conduct assessments explicit in three ways. One is related to “record keeping” requirements, balancing of interest and the ability to demonstrate many parts of “accountability”. This is the first instance of a legal requirement to in effect perform an “assessment”. Second, in certain areas of processing likely to create risks to individuals, an explicit assessment requirement is noted; one that assesses a broader range of rights and implications than is contemplated in a core Privacy Impact Assessment. Fines are part of potential sanctions for organizations that should conduct assessments but do not. Finally, to determine the legitimacy of processing a “balancing” process is required.

The European Union Article 29 Data Protection Working Party issued draft guidance on Data Protection Impact Assessments and described in detail when such assessments would be required. As part of the consultation process, the IAF provided comments.

The IAF, whose mission is accountability based governance of information processes, sees assessments not just as a legal requirement but rather as the hub or lynchpin of an information governance program. No matter whether a company is justifying the use of legitimate interests as the legal basis for thinking with data or assessing to understand the risks associated with data processing, there are steps that inform the organization, documents accountable processes and that facilitate oversight. This process begins with some common steps:

  • a description of the processing that will be conducted;
  • the data that will be used for that processing and the obligations that are associated with that data;
  • an identification of the stakeholders impacted by the processing;
  • the risks to the stakeholders if the processing is or is not conducted;
  • the benefits that come from the processing and who receives the benefits.

So, the IAF sees assessments as the central part of effective data protection governance. We see it as the basis for, not just legal fair and just but a core element to assessing the ethical processing of data. We see it as the means of demonstrating compliance. We see it as means of creating confidence in new, innovative uses of data.  It is the hub of a forward-looking data protection program.

The threat of fines is a great motivator for creating assessment processes. But in the end assessments should serve a business need in this digital age. Companies should conduct assessments because it sustains and enables their data driven business processes.

Assessments are not easy. They often will raise contentious issues within organizations. They require internal oversight and governance processes to address these issues. But in the end, they will liberate organizations to both enhance shareholder value and let data serve individuals.

Defining the Privacy Right and the FCC Rulemaking

If you cannot define a problem, you cannot solve it. The term “privacy” has always been hard to define. Bring ten experts into a room, and the definition of privacy will be different depending on with whom you are talking. However, we can begin to give it structure. The term “privacy” in an information age… Continue Reading

Restoring Privacy Functionality Through Data Protection Processes

Can data protection, the fair processing of personal data, protect the key values associated with privacy? While many privacy professionals use the terms privacy and data protection interchangeably, European law differentiates the two terms. The Working Party 29 Legitimate Interests opinion from 2014 does an excellent job of explaining the differences. Privacy is a value… Continue Reading

Abrams to Speak at Data Protection Seminar in Brazil on 9 April

IAF’s Martin Abrams has been invited to be the keynote speaker at a seminar on compliance privacy and personal data protection during 9 April in Sao Paulo, Brazil. The event will cover Brazil’s proposed data protection law (Marco Civil). To read Marty’s related paper, click here for the English version. For the version of the… Continue Reading

IAF will Convene DDO Discussion in 2015

The Information Accountability Foundation will hold a framing discussion about Dynamic Data Obscurity (“DDO”) in Washington, DC, during January 2015. Background Data management, particularly in an age of observational data and big data analysis, requires both effective polices for data application and controls to implement the policies. The Foundation’s past work has focused on accountability-based… Continue Reading

Personality, Culture and Japan’s Pursuit of Balanced Information Policy

Last week, I visited Japan to learn about the country’s coming privacy reforms and to speak about next generation information policy. I left Japan with great respect and admiration for the Japanese government’s clear information policy objectives. However, I also left Japan with real concern that the remedies on the table will not yield the… Continue Reading

I Have Joined David Hoffman in Making the Pledge

David Hoffman last week won the IAPP Vanguard Award for leadership. In accepting the award, David asked IAPP members to join him in pledging a commitment to ethical data management. (Read more here.) I had the pleasure of introducing David. Law and regulation lag the market, and most regulation leaves regulators room to enforce based… Continue Reading