Privacy Impact Assessments: Ensuring They’re More Than Just Words
A Privacy Impact Assessment, or PIA, is an analysis of how personally identifiable information is collected, used, shared, and maintained by an organization. PIAs are meant to help companies ensure their personal data collection and usage meet privacy regulatory requirements, validate use of mandated data protection technology, measure risk and verify consent capture.
Some companies and most government agencies make their PIAs public. All aim to refresh their PIAs at regular intervals with updates every time new applications are stood up or critical events take place (new regulation, merger etc). Privacy Impact Assessments are meant to give organizations clarity around their privacy policies and execution of those policies.
However PIAs today all share one big problem — they are basically words, detached from data.
Data Subject Analysis Should Not Be Subjective
Data Subjects are the customers and employees whose data is being “assessed” in a Privacy Impact Assessment. Without exception, today that assessment is conducted based on a survey and series of interviews of data custodians. Business owners and IT provide input on what data is collected, how it’s used, who has access to it, where it’s shared and so on. Compiling this top-down view of an organization’s personal data trove and its usage lifecycle into a PIA is the job of a small army of consultants and lawyers.
The resulting analysis is like a painting — a point in time representation of how personal data is managed inside the company. Relative to the alternative ie no picture at all, this analysis does have some value. However, after the invention of cameras and film, people stopped relying on interpretive paintings to accurately represent scenes. We haven’t seen a painting submitted as evidence in a court of law, after all.
So it is natural to ask with the advances in Big Data and Data Science — the data equivalent of the camera and film — whether it’s time to evolve PIAs from top-down, word-based interpretations of how personal data is used in an organization to a bottom-up, data-driven reflections of actual data collection and usage.
Proof Is Not Just For Pudding
What many organizations discover as they embark on tackling their first Privacy Impact Assessment are the usual set of challenges and inefficiencies entailed with filling out templates and conducting interviews and surveys. But once they’ve gotten over that hurdle, many come to the realization that their existing processes for discovering, mapping and classifying personal data is closer to a statement of well-meaning intent than evidence of actual data residency and flow.
Part of the purpose for a PIA is to provide evidence of conformance to internal policies and external laws for storage and handling of sensitive data . Surveys can certainly provide indicators of activity — but they can’t provide certainty. To accurately verify how data is collected and processed requires actual data accounting: an ability to trace the flow of data from initial ingestion and through to disposition. Otherwise, audits will never amount to more than informed estimates. Big Data and Data Science provides the blueprint for achieving this.
From Privacy Impact Assessment to Privacy Impact Assurance
As all corporations evolve into software companies, what will separate winners from losers is an organization’s ability to use their customer data to better service their customer. But the right to use a customer’s data does not come for free. Individuals will increasingly consent to share personal information on the condition that organizations responsibly steward that personal data. And while Privacy Impact Assessments help to foster trust between the consumer and their data custodian, today it lacks the “verify” necessary to preserve confidence via proof.
New regulations like the EU General Data Protection Regulation (GDPR) will drive this point home. GDPR is a watershed event in some regards in that it squarely identifies the rights of the citizen to their data. The regulation inverts the traditional mindset that companies somehow assume ownership of personal data once they take possession of it. In the new digital world, possession does not equate to ownership and consumers will have legal rights to their data long after it’s collected by a company.
This will create more burden on organizations to properly account for the personal data they collect and use. Fortunately for them, advances in Big Data have made possible the governance of Big Identity Data at scale across data centers and clouds. Moreover, through better accounting and governance, organizations have an opportunity to demonstrate greater value to their customers through service personalization and needs anticipation. But, unless organizations can first assure their customers that they can deliver personalization without compromising the privacy of their customers and the security of their identity data, companies won’t get that opportunity to deliver value to their customers.
In the end Privacy matters to all consumers. Privacy Impact Assessments are a necessary and important step in giving consumers — and the regulators that safeguard them — a sense for how companies treat their data. But as the economy increasingly moves online, Privacy rights have become more fundamental
To give consumers assurance that their data is valued, and not simply a resource to exploit, companies will need to begin treating personal data like they do personal money. There will need to accurate accounting, clear chain of custody and a verifiable audit trail; it will require Big Data for Big Identity Data.