We daily have the chance to experience the meaning of Privacy by Design or, more generally, of Compliance by Design.
Corporate operational processes are unquestionably fully automated through information technology solutions and much was made to enhance the quality in designing and developing applications and infrastructural solutions.
Also, beyond the usual development roles, it is becoming a common practice to take additional members in the project teams from information architects, vendor management, service owner, Compliance, documents validation, test management and change management Functions.
Nevertheless it is quite rare to meet business representatives that obtain feedback about requirement feasibility or propensity towards alternative solutions; it is even more rare to meet Functions providing a project governance or a risk management support in order to assess, evaluate and quantify the security and information risks and to compare technical and operational solutions by performing ex ante impact analysis as a possible consequence of a deficient or lacking solution approach.
However in most industries certain approaches still prevail which aim to satisfy law requirements according to minimal compliance targets and not to a wider adequacy, higher strength or time validity and to prioritize solutions based on risks assessed in connection with the possible intentional or unintentional data misuse, incorrectness or lacking confidentiality.
This event typically occurs when already existing, but old and partial, solutions are considered for adoption and, in order for them to be integrated with new features, additional ex-post reconciliation checks are added to shelter outputs from fragile assumptions and continuous reworks are introduced to obtain the expected data alignment. This approach reveals itself as being only apparently cheaper since measured only in the short term but instead it requires increasing costs to retain the continuous alignment with the data feeding systems and to check and solve arising inconsistencies.
Therefore to develop robust privacy and IT security related solutions, any ex-post additional or corrective measure is to be avoided. When data are compromised or are likely to be so, at the very early stage, it’s needed to agree upon the involvement of the Privacy Officer, the IT Security and Risk Manager and, moreover, to enforce procedures to assess ex-ante how much a single process or product or service affects data protection and security, in short: the privacy risk.
In practice, no Privacy-by-Design approach will be possible until appropriate functions are involved since the initial project phases or the PIA process (which helps to assess privacy risks in the collection, use and disclosure of information) is systematically used to identify privacy risks, foresee problems and bring forward solutions and robust-by-default solutions are decided.
Molto interessante. A mio avviso la PIA formalizza un ulteriore elemento da far rientrare in quella cultura di governance olistica che spesso manca all’interno delle organizzazioni, generando così inefficienze, errori e interruzioni in molti progetti.