Privacy by design and privacy impact assessments
Current developments
‘Cloud Computing’, ‘Big Data’, ‘the internet of things’ and computer-related crime greatly influence the development of privacy law. Numerous new products may entail far-reaching consequences for privacy issues. It is of the utmost importance to assess the privacy impact, so that penalties can be avoided and products won’t have to be modified later on to make them meet new legal requirements. Issues such as data protection and transparent, reliable and verifiable processing of these data play an essential role.
Current legislation
As a result of technical developments new privacy laws continuously need to be drafted. In the Netherlands EU Directive 95/46/EC has been transposed in the Personal Data Protection Act and the Dutch Data Protection Authority issued guidelines in March 2013. The Personal Data Protection Act will be amended and in 2016 the new EU privacy regulation will enter into force. This regulation will have direct effect in all EU member states.
Business and industry will have to take the fullest account of the far-reaching impact these measures will have for the protection of privacy. Risk analyses will have to be made to guarantee a suitable level of protection so that data leaks and unlawful data processing may be prevented.
Everyday reality is that privacy legislation is usually overtaken by events. However, the existing rules offer some kind of flexibility, so that we can be held to a certain extent to adapt privacy measures to the state of the art. Companies are obliged to analyse possible privacy risks and take protective measures.
Privacy by design
Privacy by design is the new trend when protective measures are called for. It means that privacy risks should be mapped before a system that could affect privacy issues is built or put into operation. Privacy protection is not going to disappear, as some of the social media gurus claim. On the contrary, privacy protection – like green energy – is seen as a unique selling point.
Privacy Impact Assessment (PIA)
Security companies have developed so-called penetration tests to check existing systems for protection against hacking and unwanted access to personal data.
A Privacy Impact Assessment (PIA) is a new phenomenon. NOREA, the professional organization of IT auditors has published a kind of PIA manual. Most consumer appliances, such as medical devices, robots and sensors in health care, and all kinds of ‘connected devices’ will soon send privacy sensitive data to the cloud. To avoid creating an obstacle to further progress, the privacy impact should be assessed in time so that suitable measures can be taken for the protection of privacy. Business and industry will have to take these measures themselves and a PIA is an essential tool in that process. Legal advice is a prerequisite when seeking the boundaries of what is legally possible.
We will be pleased to advise you.
Bob Cordemeyer, Irvette Tempelman