Managing First-Time-Right the Privacy of Personal Data

Good digital governance measures management capability to check the organization’s maturity to assure the privacy of personal data in engaging customers, consumers, partners, and personnel with a digital technology-enabled service delivery system.

Good governance of digital technology-enabled customer relationship systems is demonstrated knowledge of the clear, coherent, and complete performance areas of data privacy assurance.

Data privacy assurance is a digital governance demonstration of ethical behavior outcomes associated with achieving the registered legal purpose of the organization. It indicates the implementation of a governance oversight function to protect the organization and its customer from the risks created by privacy violations and related cybercrime against information security.

Performance speaks of a determined, described, and documented list of capabilities to complete the creation of a value, Value is commonly agreed as the good that protects a legitimate interest and realizes mutual benefit for the human person and community.

Privacy is a value. Personal data is a value.

Personal data are “facts” associated with a person. When the facts are processed as “meaningful facts,” it then identifies the person to meet a purpose. The purpose is either beneficial or harmful to a person.

Privacy is freedom from intrusion into the private life or affairs of an individual or person when that intrusion results from undue or illegal gathering and use of data about that individual (ISO 2382)

Privacy of personal data is a protected human right supported by international and local laws and regulations.

The commonly referred to international regulation for the practice and penalized violation is the European Union Council General Data Protection Regulation (GDPR). The international enforcement of the EU directives on data privacy has influenced both EU and non-EU countries to consider GDPR as a normative reference in crafting their local data privacy law

The privacy rights of personal data are mandated feature or functional requirements in the design, development, and operation of information and communication systems that enable the Data Subject to exercise the following:

1. The right to be informed – privacy notification

2. The right to give consent – privacy consent form

3. The right to access – the procedure to permit viewing and participate

4. The right to object – the procedure to withhold or refuse

5. The right to erase or block – the procedure to withdraw or delete data

6. The right to rectify – the procedure to check data accuracy and to correct

7. The right to data portability – the procedure to request and download digital data

8. The right to complain – rules of procedures to file a complaint

9. The right to claim damages – rules of procedures for claiming damages

The privacy by design and by default digital data processing of meaningful facts about a person is mandated to apply the following in the system policy to protect the privacy of data in all of the information processing activities.

1. Privacy Principles

2. Lawful criteria

3. Information security controls

4. Privacy impact assessment

5. Data breach incident handling

6. Compliance registration and reporting

The data privacy regulated processes are directly linked to data collection, retention, use, sharing, and disposal activities of the information, record, document, knowledge, and communication system of the customer relationships.

There are international standards that are commonly adopted for a detailed understanding of the requirements in embedding data privacy protection and information security in the information and communication system that engage a Data Subject.

1. ISO 29100 – Privacy Framework

2. AICPA – Generally Accepted Privacy Principles

3. GDPR – EU Data Protection Regulation

4. ISO 27701 – Privacy Information Security Management System

5. BS 10012 Privacy Information Management System

6. SOC2 – System and Organization Controls

Customizing the data privacy requirements to match the business operating environment finds its valid and verifiable understanding with the use of international community-driven normative references pertinent to the implementation of laws and regulations on data privacy.

The connected trade and technology of the digital economy have made data privacy, information security, and cybersecurity as globalized requirements to assure trust on the ability of digital products and services to assure personal information confidentiality, data processing integrity, system availability, data privacy, consumer safety, and infrastructure resiliency.

To get started with the right things to do, it is good practice to use the open standards of reputable international bodies and regulators to guide the acquisition of common and inclusive knowledge of the underlying framework, metrics, methodology, intelligence, and technologies to support the whole of organization’s delivery of data privacy management integrated objectives and activities.

1. define and implement privacy procedures

2. pilot privacy governance

3. maintain a data inventory

4. ensure legal compliance

5. training and awareness

6. handle data subjects requests

7. manage security risks

8. manage data breaches.

(CNIL)