Data Privacy. Two words that conjure images of barriers, complication and headaches to dozens of teams across organizations and governments sprinting to deliver new products and services in an increasingly agile world.
They are all keen to create value from the personal data they are gathering – or perhaps already hold – such ambition will be dependent on complying with data privacy laws and regulations. It is also dependent on the additional challenge of frequently having to do more with less, with budgets that have been historically stretched.
But what if it was possible to address any privacy compliance issues concurrent with a new app being developed? What if an agile team was effectively able to “self-serve” its privacy needs? What if there was an intelligent workflow tool that enabled them to make informed decisions along the way? This tool ensures that all compliance risks are taken into account before launching any new initiative— rather than discovering after the event that there is a problem, with all of the inherent costs and frustrations that would bring.
Context is everything in re-using data
To achieve the ultimate goal of extracting value from data, you first have to build in control over that data. That means knowing what data you hold, having transparency over where it is stored, and understanding why it is collected and on what legal grounds. You must also know why it is stored and whether it is received from a third-party. Context is everything.
Applying privacy mandates to the primary purpose for data collection (for example, a contract) and tracking it back to its source—the so-called data lineage—is not a "nice to have" – it is essential. Also important in this context is that this same data cannot necessarily be used for a secondary purpose — for example, to gain data insights to offer discounts and build customer loyalty, or to launch a new product or service — without reference to relevant legal or ethical restrictions on data usage that will undoubtedly apply. An example of not knowing the primary purpose of data collection is when organizations store information into large datalakes without tracking where the data originates from. If data is subsequently used for other secondary purposes, companies may not comply with the privacy legislation, which may have a consequence for its business and commercial value.
For example, imagine a bank that holds significant volumes of data from customers who have mortgages, credit cards, or other such core services defined in the bank's Register Of Processing Activities (ROPA) for the purposes of processing personal data. Imagine also an agile team is keen to access this data and market the launch of a mobile banking app, based on specific payment behavior to specific groups within this dataset; does the bank need consent based on the secondary use of the data it holds? Is it allowed to identify an individual’s payment behavior, or must the data be anonymized? Is it advisable or mandatory to carry out a Data Privacy Impact Assessment? Can the marketing team access the data for broader purposes, and can the bank even sell the customer data it holds to a third-party?
Let's describe another scenario. A company uses third-party credit scoring to determine future customers' creditworthiness, to the extent that such scores become an integral part of the customer acceptance process. For the most accurate picture, however, that same company seeks to compare a third-party score with other data it can access that reveals, for example, a customer's payment track record. Are companies allowed to process the data of credit scoring services for customer acceptance purposes? Can they share their own data for such purposes? Are there differences between countries with regard to processing and sharing this kind of data? And what does my company's ethical code state about these services?
Moving to intelligent tools and automation
A blanket data privacy policy seldom works; it usually sits on a shelf, gathering dust, or lies forgotten in a virtual drawer. Neither does it work to retrospectively apply personal data compliance checks to a product or campaign that is ready to launch. Building anything in isolation is likely to fail. And this is where technology can help.
Intelligent tools are needed to enable teams to identify and highlight privacy issues — and determine what is and is not allowed in terms of how personal data is being used — without them having to have expertise in data privacy and compliance areas. Simple question sets and prompts ease the privacy compliance journey.
These tools support a team's decision-making as they go along, enabling them to sprint with the assurance and confidence that what they are developing will meet the mandatory regulatory and compliance standards required, as well as meeting their own ethical commitments. Should they encounter an issue of particular concern, they can elevate that concern to their Data Privacy Officer (DPO) or legal team much earlier in the process, avoiding the legitimate complaint that many DPOs and their peers have of only ever being consulted when it's too late to do anything about it.
EY is piloting tools that use labeling and rules sets to automate processes around data permissibility. These tools offer interfaces to a wide variety of use cases such as enhancing data sharing across entities, organizations and jurisdictions, enabling advanced analytics, feeding Data Loss Prevention systems and optimizing an organization's data Identity & Access Management controls.