The belief that everyone has a right of privacy, including data privacy, is the base of all the work that we do at Least Authority. Key aspects of building privacy into systems are ensuring that users are aware of the use of their data and enabling them to have choice in how their data is used. For that reason, we have decided to offer a new type review in partnership with Castlebridge as part of our consulting services: Privacy Reviews.
Data Privacy is intertwined with data security, but they’re not the same. Data privacy focuses on the proper handling of data – including factors like consent & transparency, data minimization, limits on what data is collected and how long it’s kept, and who data is shared with. Data Privacy is also about empowering users by giving them tools to make smart choices about how their data is used and by whom, and to engage with organizations when it’s not being used fairly. Data security, on the other hand, is the process of safeguarding digital information from unauthorized access for the purposes of confidentiality, integrity and reliability. Although much of our consulting work is focused on data security, we always consider how data is handled, and that data privacy is incorporated into the process by design.
Since 2014, we’ve completed over 200 security audits, and we’ve observed that most technical security reviews don’t fundamentally question the intentions of the systems (or the organizations who control those systems), when it comes to user data privacy. Sometimes the scope of our security-focused reviews is more extensive and we focus on multiple areas of concern related to the privacy in a system. However, this still tends to be limited to specific concerns and does not look at privacy throughout the system.
Similarly, our colleagues in the data privacy space admit that while privacy or data protection impact assessments, might consider how data is used and ‘confidentiality, integrity, and availability’ at a high level, they rarely dig deeply on the technical implementation questions, and almost never look at the code. We also discovered that even when teams take the time to do both reviews, they still walk away feeling like their systems haven’t really been fully assessed. It’s two different groups, looking at the world differently, and not talking with one another enough.
We hope to change this by assessing technologies and systems holistically – combining the best of both worlds, including assessing how choices made at the business or engineering level governing the use of data may also have technical, regulatory, and societal impacts.
Based on our belief that all humans should have a fundamental right to privacy, it makes sense to analyze systems and verify that organizations are effectively supporting this right. Although this is not currently the industry standard, we believe it should be. Our holistic Privacy Review approach can meaningfully help organizations identify areas where technical and organizational measures could be improved, build better, more secure, resilient, and privacy-preserving systems. And by publishing these completed Privacy Reviews, we can foster genuine transparency and increase user confidence.
During this past year, we’ve been discussing ways to incorporate this extension of our reviews into a standard offering to our clients. Thus, we are very excited to announce our new partnership with Castlebridge, a data strategy, governance, and data protection compliance consultancy. Since 2009, Castlebridge is known for pragmatic advice on the business of data and is providing a range of advisory and education services in data protection, data ethics, data management, data quality, data strategy, and data governance. With Caslebridge expertise in these areas and our technical expertise, we can assess technologies and systems holistically. We expect that our clients will benefit from this partnership and, by extension, the users of their systems.
Stay tuned and look for more blog posts from Least Authority and Castlebridge. Feel free to contact us about doing a Privacy and Security Review for your organization.