What can make Privacy-by-Design possible

By | Wednesday December 2nd, 2015

We daily have the chance to experience the meaning of Privacy by Design or, more generally, of Compliance by Design.

Corporate operational processes are unquestionably fully automated through information technology solutions and much was made to enhance the quality in designing and developing applications and infrastructural solutions.

Also, beyond the usual development roles, it is becoming a common practice to take additional members in the project teams from information architects, vendor management, service owner, Compliance, documents validation, test management and change management Functions.

Nevertheless it is quite rare to meet business representatives that obtain feedback about requirement feasibility or propensity towards alternative solutions; it is even more rare to meet Functions providing a project governance or a risk management support in order to assess, evaluate and quantify the security and information risks and to compare technical and operational solutions by performing ex ante impact analysis as a possible consequence of a deficient or lacking solution approach.

However in most industries certain approaches still prevail which aim to satisfy law requirements according to minimal compliance targets and not to a wider adequacy, higher strength or time validity and to prioritize solutions based on risks assessed in connection with the possible intentional or unintentional data misuse, incorrectness or lacking confidentiality.

This event typically occurs when already existing, but old and partial, solutions are considered for adoption and, in order for them to be integrated with new features, additional ex-post reconciliation checks are added to shelter outputs from fragile assumptions and continuous reworks are introduced to obtain the expected data alignment. This approach reveals itself as being only apparently cheaper since measured only in the short term but instead it requires increasing costs to retain the continuous alignment with the data feeding systems and to check and solve arising inconsistencies.

Therefore to develop robust privacy and IT security related solutions, any ex-post additional or corrective measure is to be avoided. When data are compromised or are likely to be so, at the very early stage, it’s needed to agree upon the involvement of the Privacy Officer, the IT Security and Risk Manager and, moreover, to enforce procedures to assess ex-ante how much a single process or product or service affects data protection and security, in short: the privacy risk.

In practice, no Privacy-by-Design approach will be possible until appropriate functions are involved since the initial project phases or the PIA process (which helps to assess privacy risks in the collection, use and disclosure of information) is systematically used to identify privacy risks, foresee problems and bring forward solutions and robust-by-default solutions are decided.

Category: Privacy by Design Tags: ,

About Enrico Toso

IT Regulatory, Risk and Control Specialist As Information security and risk expert I have been heading analysis and management projects aiming to achieve compliance to recent Data Protection Authority Provision (also called “Provvedimento Garante II”) and to Bank of Italy Provision “Disposizioni di Vigilianza” (upd.15 - enforced under Circular 263/06) mainly to assure an appropriate Data Governance level and an integration between the ICT and the Operational Risk approach.. Also active member in analysis and research interbank groups on data protection, data leakage, risk prevention, information frauds countermeasures and ICT regulatory compliance for the financial industry.

One thought on “What can make Privacy-by-Design possible

  1. Gabriele Tucciarone

    Molto interessante. A mio avviso la PIA formalizza un ulteriore elemento da far rientrare in quella cultura di governance olistica che spesso manca all’interno delle organizzazioni, generando così inefficienze, errori e interruzioni in molti progetti.

Leave a Reply

This site uses Akismet to reduce spam. Learn how your comment data is processed.