Going on a Data Protection journey? Don’t leave your PETs at home
May 25th has recently passed and we’re all still very much alive, at least the GDPR fire on social media hasn’t extinguished and our customers are still requiring professional guidance in their journey to privacy basecamp and beyond. In our first #GDPRthedaysafter blogs, we’ve talked about the different stages of maturity an organization can achieve and we’ve described the teamwork needed to reach basecamp. We’ve also touched on the role of the Data Protection Officer, the lead Sherpa, to guide, facilitate and support the journey and in our last blog we’ve set the stage for a crisis approach on how to deal with data breaches. One could argue that GDPR is all about people and we couldn’t agree more. But just as climbing a mountain is impossible without the right gear, protecting personal data without the right technology is impossible too.
The idea of bringing privacy requirements to the table before organizations start building new processes and systems has been discussed for many years. Data minimization, anonymization and pseudonymization solutions have emerged over the years and somewhere in the early years 2000, the term PET (Privacy Enhancing Technology) was coined. In sectors like the military, law enforcement and medical research the need for strict data protection was evident. Now that need has become more persistent with article 25 of the GDPR, requiring organisations to follow the privacy by design and default principles when processing personal data. This might look cumbersome but where smart fridges and smart thermostats might offer convenience and automation, they also provide a uniquely personal window into our lives. Privacy of Things could be the new norm in the near future and we all better start working on it.
Assessing the impact
In our role as data protection Sherpas, we see following technologies being used more often in applications and mobile devices: virtual private networks (VPNs), secure messaging, anonymising networks and anti-tracking tools (for online browsing). Emerging technologies for example are privacy enhanced access right control systems (think about biometric access controls in the office) and geotagging functionality in mobile user apps.
A Data Protection Impact Assessment (DPIA) needs to be carried out to assess the impact of implementing a PET. It is our experience that many times, solving a privacy related risk comes with a trade-off. Applying Secured email for example, encrypts the communication between sender and receiver and protects the content of the data from being seen. The Chief Information Security Officer however wants to protect the organisation from incoming malicious email and needs to peek inside. Applying secured email could have as consequence that the CISO needs to implement additional technology such as TLS Interception to safeguard privacy and still maintain the same level of security. This means extra costs, extra security risks and sometimes even a less nice user experience. But it could still be a very good decision to go that path, improving and learning while climbing the summit. As long as all the (technical) pros and cons are well weighed and taken into account.
No need to tie your PET to a tree
DPA Privacy Sherpas are experienced in many data protection areas. Some of them have an extensive technology and security background to help you assess, implement and evaluate the right PET for your organisation’s privacy household. We’ll make sure there will be no need to tie your PET to a tree when you’re starting the journey. DPA Privacy Sherpas will make sure that it will help you reach the next level of your organizations GDPR maturity.