Data privacy, impact assessment, and security-related system testing
Data privacy have become the norm for regulation, standardization and compliance regimes for everything data, vital to persons and businesses. Unlike the early days, data privacy laws have created favorable impressions. It depends on which side you are in. Geeks were dreadful of any kind of technology regulations and bureaucrats couldn’t hid their displeasure in new things as they play whip. Such regimes should be seen more as initiatives to improve the diffusion of technology for everyone and commit any kind of high technology build up into a more responsible social and economic instrument. With data privacy, its adaptation by all, which businesses were affected by the fact that we are not being careful how we use private data especially those being transacted online, is just a manifestation that there is a need for unsubtle formalization of, if not more echt in the, rules—our own in a manner that is, say, stringently and uniquely applicable for every purpose.
We can focus on data privacy, and still able to plug into its adjacency, especially, in the contexts of the bigger cybersecurity and risk management, both are board level responsibility. Some organizations need not necessarily adapt such setting, popular in literatures and advisory firms.
Here are basic queries, resonant of data privacy impact assessment with very specific take in an organization’s business units, that can be useful for either, if not all, data controller, compliance officer and data processor. A team or anybody, who’s responsible, can use it to exposit how data privacy is being administered not only for compliance purposes but also as a good complement to what any organization has been doing to record and store information, long before data privacy has made it to mainstream. You may find it different from those in public domains. No matter, it’s good to have a starting point that is easier to thread along including for data controllers who are not required to comply yet.
Take note that compliance, or relevant languages in every regulation or law, may have been defined in distinctive fashion, at least texts are not literally the same.
How much do we know about a solution’s service agreements, terms and conditions prior to its acquisition or installation and use?
Try these yourself, for your organization, here they are:
· What identification do you require when doing business with client?
· Are there any other people involved aside from the above, some 3rd-party?
· What data do you collect and how?
· Who is in-charge in data collection?
· Who has access to those data?
· Do you share data, with whom and 3rd-party?
· How often do you evaluate data sharing agreement?
· Can you identify details of data you are collecting, receiving including storing in your system?
· As data controller, are you completely aware and do you fully understand your role with data privacy frameworks?
The above doesn’t necessarily alter and obviously tell the responsible people, regardless of business unit they belong, that their role have been added with that of data privacy.
How would you do it for technology people? Systems? These are different.
In cybersecurity, there is the so-called vulnerability assessment and penetration testing, which can provide mechanisms to be used further to make sure security systems, expected to be relative, can accommodate necessary change, in their reinforcement toward data privacy. In our work, we have written the basics, mostly precautionary for clients who wants VAPT performed. Whether or not they want to use it, shows forthrightness and what they can expect in the job.
The individual person has different objective with data privacy. Consider personal, medical including but not limited to financial data. These are guarded by their respective laws. Data privacy is a bit more extensive. Could be all-encompassing even to complement subjects that have their law enforced on their own. The requirement is simple for the unsuspecting individual but tricky on data controllers or businesses that has huge holdings of private data. That private data will remain a responsibility of its owner, and control as well. The ownership and control, however, changes as soon as those data are shared with enterprising online platforms and portals. A complex password with multi-factor authentication activated, if available, would make access to personal accounts authenticated and authorized only and will not automatically make data private.
Especially true for entities holding private data, a big responsibility for them I supposed, but would be good always to share limitations, if any, in their system and security.
The practice to indemnify them from breaches via the old way of legal terms and conditions without the end-users clearly knowing the responsibilities involved seemed to have past even the archaic stage already.
Check smartphones' permissions granted to installed apps or software. One of the various media our data are being kept, another is where those data are stored and destined, either temporarily or permanently. Most of the time we left our apps in their default setting after setup or installation. We can turn-off those permissions that are not necessary for their functioning. We can allow, say, our email app to have access to our contacts, but we can also ask. Is contacts necessary for such an email app to function properly? All these permissions being required by any app, must be scrutinized or checked thoroughly. Either with computers, smartphones, IoT or any information system, their functions must be explicit, terms must be elaborated to assure stakeholders and the trusting end-users.
Data risks of subversion and exfiltration are real. And so, we, as end-users can try to limit the likelihood that our data are being abused. We need to be conscious when every time we share our private data. Then we watch and communicate with, if our data are being neglected by, the holding entities e.g. LinkedIn, Paypal and Internet resources available for us all.