Privacy impact assessments, privacy by design, audits, reviews, privacy health checks and algorithmic impact assessments
Much of the data in organisations is about people, their lives, what they do, where they go, what they buy, what they like, what they say, what they look for, what they do for entertainment and so on – it is personal information and, in many instances, is thus subject to privacy and data protection requirements. Increasingly, decisions impacting people are made by algorithms through automated decision-making. Our experienced staff have led, quality assured, supervised and conducted hundreds of client deliverables, including privacy impact assessments, privacy by design, algorithmic impact assessments, reviews and privacy health checks.
Privacy impact assessments and privacy by design
Privacy impact assessments (PIAs) help identify and minimise privacy risk. They are generally required for projects, systems, technologies or processes that are likely to have a high privacy impact, due to, for example, the effect on the individuals’ whose data it is and other stakeholders in your ecosystem, the amount of data, sensitivity or complexity. The earlier a PIA is done, the more that privacy can be built into the design. To learn more about when to conduct PIAs, download our paper on 'What makes a great PIA?'.
Privcore undertakes PIAs to help you maintain the trust and confidence of your customers and other stakeholders in your ecosystem. Privcore delivers comprehensive and robust PIA reports with prioritised practical recommendations so that the most effective actions can be taken where needed to minimise privacy risks. Privcore has partnered with TrustArc which provides a leading technology platform to help manage the PIA process on client request.
Reviews and privacy health checks
Reviewing your organisational practices to identify where your high-risk privacy issues lie should be a routine part of your internal or external review or audit practices. These are also referred to as privacy health checks or privacy assessments. Privacy health checks generally involve discussions with staff and reviewing systems and processes to assess where your high privacy risks lie, so that you can prioritise your resources to focus on managing key risks.
Privcore undertakes reviews and privacy health checks of your operations as a result of complaints, mergers and acquisitions, new privacy/data protection laws, assurance processes, accreditation requirements or regulator initiated activity. These are conducted over a particular part of an organisation or organisation wide, wherever operations are conducted locally and globally. Privcore applies privacy frameworks suitable to your organisational and jurisdictional context.
Algorithmic impact assessments
An algorithmic impact assessment (AIA) can help identify issues around data quality, transparency, bias, harms and failure points. AIAs, like privacy impact assessments often involve internal and external stakeholder consultation processes. Conducting an AIA early (like privacy impact assessments conducted early to build in privacy by design) helps determine where risks lie and whether those risks are proportionate to the objectives sought. AIAs also increase social licence, confidence and trust in automated decision-making processes and help create greater accountability.
Privcore assesses the risks of the introduction of AI enabled products and services using PIA and AIA frameworks and methodologies.
Data breach prevention and recovery
The number of data breaches are escalating due to attack surfaces increasing, under investment in privacy and security and remote work from home environments. Privacy and other regulators globally require notification of certain privacy incidents. Requirements vary slightly in each jurisdiction.
In Australia, for example, the Office of the Australian Information Commissioner (OAIC) needs to be advised of eligible data breaches, which refer to the unauthorised disclosure of, access to or loss of, personal information that is likely to cause serious harm to the person to whom the information relates. The OAIC reports on the causes of data breaches. The majority of data breaches are due to human factors such as falling for phishing attacks, which can be thwarted if secure forms of multi-factor authentication are used.
Data breaches rapidly become an ecosystem problem. One entity’s poor security practices can massively impact the security footprint of other entities. For example, the proliferation of data breaches exposing attributes of individuals means that data points like date of birth, address, mother’s maiden name etc are no longer secure methods of identifying individuals. Trust becomes a two way problem – individuals don’t trust entities and entities don’t trust individuals.
Our experienced staff help clients respond to data breaches in ways which restore trust with customers. Privcore assists with responding to data breaches, including regulator and customer engagement strategies and developing data breach response plans and breach simulations (preferably prior to a breach). Privcore has partnered with Iron Bastion, a cybersecurity company to provide the technical expertise to ensure your systems are less likely to be prone to data breaches through, for example, phishing.
Outsourced privacy officer
Not all organisations have the budget, size or expertise to have a chief privacy officer. Yet, every day, organisatons are struggling to meet the demands of their customers in terms of how their personal information is handled. Frequently, the role of the 'privacy officer' is given to a staff member without the requisite level of expertise and skill set to identify privacy risks and respond to customer concerns. Often they simply don't respond. The lack of capacity and capability leads to reputation harm and lost business.
Where internal capability does not exist or needs to be augmented, Privcore provides outsourced privacy officer services on a retainer basis. Services include building privacy programs for organisations to help uplift privacy maturity.
Thought leadership, research and advisory
Privcore provides thought leadership, conducts research and training and provides strategic privacy advice to clients.
Our staff are thought leaders and frequently present at conferences and publish research. We have extensive research experience in areas such as automated decision making, biases in artificial intelligence, metadata retention, privacy law reform, the right to be forgotten, data localisation, governance of data, mandatory data breach reporting, cyber insurance, cross-border data transfers, multi-factor authentication, cloud, privacy certification frameworks including cross border privacy rule systems. Visit our publication page to see some examples of our work.
Privcore provides strategic privacy advice, creates bespoke privacy courses and materials for its clients. Privcore also develops customised cookie policies and notices in compliance with GDPR, CPRA and other privacy requirements and has partnered with Cookiebot which automates the management of consent processes for website visitors.
Governance of data
We are at a pivotal point in history – technology is changing our lives rapidly both for good and bad and needs to be governed. We need to build core human values and ethics into our products and services. We must keep individuals at the centre and build technology that respects human values, including privacy and security.
Download our paper on "Data is your organisation's core business: Are you prepared to govern it?"
Cross Border Privacy Rules
In April 2022, the Global CBPR Forum was established to provide an international certification system based on the APEC CBPR System. The APEC Cross Border Privacy Rules (CBPR) System helps businesses do business with one another using a common data protection framework.
Now, not only can APEC member economies participate, but also economies outside APEC, thereby facilitating global trade whilst protecting personal information flows.
In a report APEC published, lead author, Annelies Moens looks at the benefits of the CBPR System from a multi-stakeholder perspective.
Machine decision making is replacing human decision making. Machine decision making is a tool to assist human decision making. They are both fallible on their own, but together can optimise decision making, so long as biases and other flaws are recognised.
Privcore staff have looked at the trends impacting levels of trust in organisations and explained different types of artificial intelligence (AI). There are numerous pitfalls and biases in both human and machine decision making. Privacy and algorithmic impact assessments can improve AI so that it is more trusted and accountable to society.
We have been involved in a range of work regarding artificial intelligence, technology and change. See some of our published examples.