Innovating in the time of coronavirus? Think Privacy!
You’ll know already that the General Data Protection Regulation (GDPR) requires companies to have appropriate technical and organisational measures in place to ensure that data protection is built into their processing activities and business practices.
Did you know, it’s now a legal requirement to consider data protection and privacy issues upfront in everything you do to help ensure both compliance and accountability? This is particularly important when you’re innovating or using new technologies involving personal data. We can see just how important this is with the current focus on developing a coronavirus tracking app and the potential impact on individuals’ privacy. If you are considering introducing a new system (e.g. cloud-based HR/accounting system), app (e.g. health/tracking) or new process (e.g. facial recognition software) we recommend you consider the following:
- Be Proactive & Preventative: when designing a new system or process, identify poor security and risky privacy practices early on, then commit fully to improve them before they can do any real harm. Don’t just carry on regardless!
- Privacy as the Default: individuals’ personal data must be protected, without requiring their input; it should be safe by default. You must ensure that the collection of personal information is fair and lawful. Ask yourself when innovating, do you have a lawful basis for processing this personal data?
- Embed Privacy into Design: do not bolt privacy on as an after-thought when designing a new system or process. Wherever possible, carry out detailed Data Protection Impact Assessments, clearly documenting the privacy risks and the measures you have put in place to mitigate those risks.
- Full Functionality: Privacy considerations should not be seen as a limiting factor when innovating or designing systems. Transform any non-compliant privacy issues in such a way that they add value to the end product/process.
- End-to-End Security: You must be able to ensure the security and privacy of personal data from the point of initial collection, right up to the point it is no longer needed. Measures could include encryption, regularly testing backups, strong access controls, secure destruction and effective user training. Without strong security, there can be no privacy.
- Visibility & Transparency: This is key in demonstrating your accountability and compliance with the GDPR. Ensure that you have appropriate contracts in place between you and any 3rd parties/sub-processors; update and publish privacy notices to all stakeholders assuring them that privacy by design and by default is at the heart of your new system/process.
- Respect for Privacy: Think privacy first! The GDPR demands that individuals’ rights are respected at all times. Remember individuals have the right to be informed, the right to access their data, and the right (in some cases) for their data to be deleted. Empowering individuals to play an active role in the management of their own data may be the single most effective check against abuses and misuse of privacy and personal data.
Placing privacy at the heart of your innovation and promoting transparency at all stages of development will help to build trust with the people whose data you’re innovating with. The success of your innovation, may well depend on it.
If you could do with some data protection guidance and like the idea of it being easy and relevant to your business, please get in touch by phone or email.