I’ve been trying some different privacy assessment methodologies recently, as I’ve been trying to work out for myself just what I want to get out of the exercise. If those writing the Regulation have their way, an awful lot more of them will be getting done. But just like the phrase “privacy by design”, a PIA is a term that could mean any manner of things.
Is it just a way of ensuring that whatever initiative I’m assessing is actually legal?
Or is it a way of ensuring that the initiative I’m assessing is actually acceptable from a corporate reputational view? Or that the individual will like it?
Try as I might, the guidance on the ICO’s website isn’t that easy to remain engaged with. And I’m not sure that the ICO’s focus is necessarily where I want to focus my assessments.
In a nutshell, the ICO’s guidance helps me consider whether the initiative is legal, in that it makes me ask myself (and answer) a heap of questions about precisely how each of the Data Protection Principles are engaged, without directly asking me to consider the amount of harm that might be caused to an individual if the initiative were to encounter any sort of breach.
Instead of following the ICO’s methodology (which, thank goodness, it will be changing shortly), I’m trying out an alternative approach, which places much more emphasis on privacy risks from the individual’s perspective. Yes, of course it also assesses the risks associated with non compliance with the DPA and other privacy laws, but by looking at things from the perspective of the person who will complain when something goes wrong, the likelihood of them suffering harm as a result of the initiative becomes more obvious.
This methodology is being pioneered by the mighty Chris Pounder, of Amberhawk fame. As I’ve played around with his method, the potential legal snags and harms that may be suffered by an individual have been easier to spot. His method is also easier for businesses to use. Project mangers (or others with specific knowledge of the initiative) explain what they are doing, and provide factual information on a form. The form that the project managers see don’t contain inaccessible data protection jargon, but the interviewees will need a bit of help filling in the answers, as the forms ideally need to be tailored to the specific circumstances of each initiative. Then, the Data Protection Officer can apply their own knowledge and experience to make the relevant impact assessment, and to highlight ways in which risks could be reduced, if they were deemed to be unacceptably high.
None of this stuff is necessarily easy for the untrained DPO, especially when it is evident that the client is not too sure what it is that they need to do to achieve their goal, but they just want to ensure that whatever they are doing is lawful. There’s not a lot of point in commencing a Privacy Impact Assessment on an initiative which basically states that a company wants to maximise the value of its customer and marketing database. It helps when the client has a reasonable idea as to how it will maximise the value, and who it will work with to exploit the value of the information it has, and what other partners it will work with to augment its own data with other types of data that are commercially available.
For those that are sufficiently interested, Chris Pounder will be teaching another group of people how to dance his PIA Tango in London on Tuesday 9 July. If I were you, I would seriously consider going along.