DATA PRIVACY LAW

A quick guide on the concept- Privacy by Design

January 21, 2023 Leave a comment

Introduction

The concept of data privacy has been in papers way before the coming of the digital era, and so does the concept of Privacy by Design, which was introduced in the 90s by Ann Cavoukian, former Information and Privacy Commissioner for the Province of Ontario.

Privacy by Design (“PbD”) defines the nature of Privacy and how we must approach it. It means that at the beginning of an organization or a project’s existence, privacy must first be implanted, enabled and implemented into its very own foundation. Rather, than just looking at it from a compliance point of view and merely as a remedy against breaches and risks. Moreover, it should be adopted as a culture, and not as an add-on to your shopping cart list.

Let’s dive into how to implement PbD within an organization with its Seven foundational principles-

  1. Privacy measures should be “Proactive not Reactive”; “Preventive not Remedial”

Taking this viewpoint, it can make your team’s life easy and save your organization from huge penalties, here’s why- This principle discusses the very nature of privacy, and how it benefits and add value to an organization when it is proactively utilised. The reasoning behind the implementation of privacy should be to detect and minimize/eliminate potential threats, not wait for the potential threats to cause harm first, and then implement security measures. That’s not how privacy should work. An example of this could be- Conducting a Data Protection Impact Assessment before processing or Transfer Impact Assessment before cross-border transfers.

  • You must enable “Privacy as the Default setting”

This simply means that privacy must be implemented into the systems and processes as a default setting and by putting privacy at the forefront. Although, this looks the toughest to crack, however, it only minimizes the potential cyber risks. By enabling privacy as a default setting, your organization aims to achieve this by limiting the collection of data, not retaining the data after its purpose and ensuring that no users are required to act separately to protect their personal data. For example- having the personalised ads or precise location option turned off as a default setting.

  • “Privacy embedded into Design”

Privacy must be implemented into the skin of the products/services that you offer from its initial stage. It should be treated as an integral part of your business practice. Lastly, it shouldn’t be considered an add-on or a strategy taken as countering measures against risks. In simple terms, this principle states that an organization must thrive to provide privacy at all stages while offering the users with its products/services. For example, ensuring an end-to-end encrypted platform, giving users the choice of receiving targeted ads, etc.

  • Full Functionality – Positive-sum, Not Zero-sum

The fourth principle simply states that privacy by design is an approach which seeks to accommodate all legitimate interests, dismissing unnecessary trade-offs, and avoids all such false dichotomies such as privacy v security, etc, ensuring that by implementing privacy by design an organization could achieve a win-win scenario. For example, if an organization limits and minimizes data collection and data sharing, and destroys it according to its retention policy. This can ensure fewer security flaws, and enable users’ privacy to be at the forefront, without making any unnecessary trade-offs.

  • End-to-End Security – Full Lifecycle Protection

This principle simply states that data privacy & protection goes hand in hand, and shall be delivered during the entire lifecycle of the data. An organization must ensure all reasonable security measures are taken that are industry-recognized right from data collection to deletion. For example- During a cross-border transfer of personal data, an organization must conduct a transfer impact assessment in order to assess and analyse the potential risks, and only then move ahead with such transfers.

  • Visibility and Transparency – Keep It Open

This principle lays out that the privacy of the users means complete visibility and transparency of their data. To ensure this every organization must thrive to have easy-to-ready privacy and cookie policies. This could help users to understand exactly what happens with their data. Always remember, privacy is a trust-building initiative and has a direct impact on every organization.

  • Respect for User Privacy – Keep It User-centric

And, lastly, privacy only comes by putting consumers/users at the top. Organizations must keep in mind that at last they are processing their users’ data, and must ensure to keep it consumer-centric by granting them control and visibility over their data. Data privacy should come in line with respecting the users’ experience throughout. For example- a user must have the right to seek correction & erasure of his/her data from any platform.

Can organizations monitor employees under the GDPR?

March 19, 2022 Leave a comment

First published at Tsaaro Academy ( click here )

Introduction 

Do we have the right to privacy and can we enjoy it as a right especially upon our personal data when we are at our workplace? This is the fundamental question that this blog would be dealing with, from the perspective of the General Data Protection Regulation also known as GDPR.

Coming to the next important question as to what will come under the ambit of ‘personal data’? The simple answer would be- A personal data will include all the sensitive categories of data that are related to an identifiable natural person. The following are some examples of personal data-

  • Physical or mental health condition;
  • Sex life and sexual orientation;
  • Racial or ethnic origin;
  • Political opinions, religious beliefs;
  • Trade union membership;
  • Biometric data.

When it comes to monitoring employees, businesses and organizations are not new to this concept, rather the concept of surveillance is decades old. In order to understand and analyze this question, it is important to first understand the employee-employer relation, as we know that it’s an undisputed fact that there will always remain an imbalance of power between the two, which is why the concept of consent cannot be a relevant ground on claiming that such monitoring was genuine or not arbitrary.

Since we are living in the age of digitalization, we need to understand that anything we do either professionally or in our private sphere, we tend to leave our digital footprints on the internet which means that we can easily be traced by anyone and also we are opening doors to potential scammers and other related risks as our data is scattered everywhere on the internet that is also the reason why our ‘Data’ is the new gold/fuel for today’s businesses and organizations.

How is monitoring done on employees?

Monitoring of employees can be done easily through CCTVs, softwares and now we have spywares too. But what exactly will constitute ‘monitoring’ ? It can be monitoring an employee’s internet history, emails, financial transactions, call logs, his private chats with employees and/or with other people...continue reading