The idea of bringing privacy requirements to the table before organizations start building new processes and systems has been discussed for many years. Data minimization, anonymization and pseudonymization solutions have emerged over the years and somewhere in the early years 2000, the term PET (Privacy Enhancing Technology) was coined. In sectors like the military, law enforcement and medical research the need for strict data protection was evident. Now that need has become more persistent with article 25 of the GDPR, requiring organisations to follow the privacy by design and default principles when processing personal data. This might look cumbersome but where smart fridges and smart thermostats might offer convenience and automation, they also provide a uniquely personal window into our lives. Privacy of Things could be the new norm in the near future and we all better start working on it.
Assessing the impact
In our role as data protection Sherpas, we see following technologies being used more often in applications and mobile devices: virtual private networks (VPNs), secure messaging, anonymising networks and anti-tracking tools (for online browsing). Emerging technologies for example are privacy enhanced access right control systems (think about biometric access controls in the office) and geotagging functionality in mobile user apps.
A Data Protection Impact Assessment (DPIA) needs to be carried out to assess the impact of implementing a PET. It is our experience that many times, solving a privacy related risk comes with a trade-off. Applying Secured email for example, encrypts the communication between sender and receiver and protects the content of the data from being seen. The Chief Information Security Officer however wants to protect the organisation from incoming malicious email and needs to peek inside. Applying secured email could have as consequence that the CISO needs to implement additional technology such as TLS Interception to safeguard privacy and still maintain the same level of security. This means extra costs, extra security risks and sometimes even a less nice user experience. But it could still be a very good decision to go that path, improving and learning while climbing the summit. As long as all the (technical) pros and cons are well weighed and taken into account.
No need to tie your PET to a tree
DPA Privacy Sherpas are experienced in many data protection areas. Some of them have an extensive technology and security background to help you assess, implement and evaluate the right PET for your organisation’s privacy household. We’ll make sure there will be no need to tie your PET to a tree when you’re starting the journey. DPA Privacy Sherpas will make sure that it will help you reach the next level of your organizations GDPR maturity.
