Are Penalties for Privacy Breaches enough?

With the increasing occurrences of data breaches, consumers have called for an overhaul of privacy laws & higher penalties to be introduced. Increasing maximum penalties will no doubt focus the attention on executive teams of companies & their boards but may not deliver better outcomes to the consumers who are concerned about the management of their personal information. The real focus needs to be on the far more neglected topic of compliance.

A good solution to address these concerns would be to require all organizations to undertake privacy impact assessments, or PIAs. A PIA is a process for identifying the privacy risks raised by a given activity or function, starting with a thorough understanding of all relevant information flows, & then designing appropriate controls to mitigate those risks.

A PIA should be a key input into any ‘privacy by design’ strategy. It is impossible to design appropriate privacy controls unless you have first identified what the potential privacy concerns may be.

While the risk can never be eliminated, it is a much better approach in order to respond to & withstand a regulatory investigation if a PIA has been carried out. This is more important for ‘high privacy impact’ activities, such as those that involve the collection & use of sensitive information (like government IDs or biometric data), the use of personal information for profiling or targeting, or automated decision-making based on personal information.

In essence, while increasing penalties may grab attention, strong compliance processes, built on the foundation of an early & thorough risk assessment can help in reducing processing of penalties.

Are Penalties for Privacy Breaches enough?