Accountability follows the data and why it matters to Data Protection Officers building trust.
Article contributed by AsiaDPO
Great Expectations
The characters in Charles Dickens’ penultimate work held great expectations. Pip is the orphan whose life was changed by an unknown benefactor, elevating his wealth and social status. His transformation into a gentleman had unintended affectations for his conscience, loyalty and love.
Likewise, great expectations are placed on technology to better the human condition1 (as it did for Pip). The affordances2 of “–tech” neologisms3 come with benefits and risks. They can change perceptions and expectations, like handles that afford grasping and doors that afford gaining entry or exit.
It is critical to translate how humans and technology are affected by intended or unintended design choices. We offer some Data Protection Officer (DPO) insights on such expectations and what can be done to meet them.
Technology, Privacy and Data Protection
Technology’s impact on information privacy, personal data protection and data management systems are not insignificant. It can affect consumer trust, business confidence and change practices.
As laws that impact data uses are embedded into diverse legal systems, cultures and values in the Asia-Pacific region, they can present unique challenges to businesses in multiple jurisdictions.
While DPOs strive to meet reasonable expectations of privacy and security, there are greater expectations afoot. Privacy may be fairly new in most parts of Asia, but data protection is not. DPOs have always held their organisations to account, in the sense of legal responsibility and compliance, for data collected and used. What has changed today?
Technological Affordances
Data can now be collected at scale and be kept for longer than intended. A data warehouse can fit on a thumb drive or sent to “cloud”. Photos and memories are shared effortlessly. And more significantly, the relationships between collecting, using and sharing data can be amplified or accumulated.
More organisations are handling and managing data as controllers or processors without realising the depth and scale of the data being mapped or the resulting consequences. It is not surprising that individual expectations of information privacy and control over data are changing because data is abundant and privacy is scarce.
Turning to Practices: Not Who, but What
In Singapore, many of us who saw these changes came together in 2016/2017 to form a society to help develop capabilities that can match this turn to practices.
AsiaDPO remains the first and only self-organising, peer-to-peer registered society to represent an active community of DPOs in Singapore.4 AsiaDPO exists to support DPOs in their interaction with the affordances of technology. This is the DPO in action, in practice.
The DPO in Action
The DPO is uniquely placed as witness to transformations in the on-life world5 , balancing data use and protective outcomes. As agents of change in our own right, we can rise to the challenge to meet and exceed expectations by accepting the call for accountability-based practices across borders.6
Raising awareness about data protection through accountability based practices remains a key priority. We have front row seats to a quickening of accountability as a cohesive principle.7 We have pragmatic regulators in our own backyard such as the Infocomm Media Development Authority (IMDA) and Personal Data Protection Commission (PDPC) who are leading the way.8 DPOs in Singapore can trust PDPC’s pragmatic and consultative approach with communities of practice like AsiaDPO to address the confluence of law, technology and cultural digital economy. You just have to join the conversation with AsiaDPO.
Change Agents
How do these changes apply to you?
Schools have data on students. A charity or a non-profit organisation stores data on its donors and recipients. A tech start-up collects data from its users.
The commonality is not data. It is the information about people, children, parents and family viewed as relationships; the poor, sick or elderly understood as human conditions; mass consumers or minority groups recognised in their relevant economic contexts.
Information accountability in this way creates the strong link between humanistic expectations and data protection obligations. This calls for a balanced regulatory regime that achieves protective outcomes for the individual, organisation and society, while at the same time remaining flexible, drawing expertise from communities of practice. In Singapore, AsiaDPO had championed accountability-based principles with IMDA and PDPC well before 2016 and since our incorporation in 2017.
The Accountability Principle
What is accountability?9 Put simply, organisations that collect, process or use personal data should take responsibility and demonstrate they are accountable for its protection and appropriate use (including any misuse in their care) beyond mere legal requirements.
In short, accountability should follow the data.10 By collecting data, you remain accountable even when it changes hands or moves from one jurisdiction to another. The DPO follows the data trail to demonstrate this.
The Accountability Practice
As a practical matter, checklist compliance or holding onto a static set of rules and standards will no longer be enough.11 The sea change is a fine balancing act of innovative use and data protection. It depends on how we think about the decisions we make. In making this shift, we cannot ask – “can you give me a list of what to do to comply” or “what do I need to get me across the line”.
The expectation is to robustly assess organisational principles against practices that can fundamentally demonstrate how we think on data use. It provokes us to critically ask questions: what is your commitment to personal data, what is the provenance of that data, why is the user’s privacy important to your company, who is accountable for what data, what are the values or principles underlying the legal requirements or business practices, and what dynamic mechanisms can ensure personal data use is defaulted to accountability principles.12
The DPO Practice
What can be done? Taking a pragmatic approach with privacy and security built-in is a good starting point. This informs the “how” in thinking about data use.
For example, the NRIC number can reveal a person’s identity. Building security has worked with management to limit NRIC collection for security reasons. A visible demonstration of good practice that builds trust is encouraging for all of us.
For experienced DPOs, managing changing expectations around scale and size of pre-existing data protection management programs or privacy impact assessments will be a major preoccupation. Integrating accountability into broader objectives would help organisations manage that change. Many of us are turning to data protection by design to integrate privacy into the product lifecycle.
Regardless of team maturity or size, this is the time to get a seat at the top table. There is no better time than now for DPOs to secure support for the right combination of capabilities, competencies and resources in your company.13
Future Expectations
Finally, there are future expectations as to what is fair and just, and even talk of a duty of care. Too much data makes it easy for bad actors to target customers. It is timely to look at existing or new data governance practices with fresh eyes, to maintain chains of accountability and trust across systems. It is a best practice to disassociate data. Embed privacy preserving practices into your tool kit.
It does not mean companies cannot collect data as legally required or necessary to deliver services or build products. It simply means organisational decisions are guided by an accountability framework as to what data, to whom and why; mapped to responsibility for what data and why.
Over time, accountability by design becomes synonymous with privacy and data protection, as industry best practices.
Come Join the only Community of Practice for DPOs
AsiaDPO is a unique gathering place for DPOs not available elsewhere.14 We connect DPOs seeking critical discourse; we provide a peer-to-peer environment for DPOs to communicate and share with each other and have external dialogue with academia, key influencers and regulators under the Chatham House Rule. AsiaDPO has stimulated learning and served as a safe place for authentic dialogue, mentoring or coaching and self-reflection. We have captured existing expertise, added new insights and helped to organise DPOs as a community practice for tangible results.
The value of a community of practice is the co-created knowledge and expertise from active and engaged members. To best serve our membership, we will continue to curate knowledge to advance practice-led issues with a unique DPO perspective. It is in our plan to encourage greater collaboration among members for a productive DPO culture of learning. We are increasingly looking for new ideas or input into the evolving DPO in action. And we want to promote the work of our members through informed discussion and sharing with key influencers.
For over two years, we have combined data use and accountability as conjoined themes; those who have attended our workshops at the PDPC Seminar know this. We are also getting noticed, with requests by ASEAN regulators to deliver DPO-led best practice workshops. To be more impactful, we need you and your perspectives.
We are still ahead of the curve in integrating accountability into critical DPO capabilities. Our contributions align to the great expectations of managing data convergences. In true Dickensian style, we hope to realise as Pip did – great expectations of wealth and social status are less important than loyalty, friendship and compassion - in the DPO community of practice.