Data Privacy Test

Take a five-part test to determine the level of risk your data processing activity gives rise to.

Privacy principles are the foundation of data protection laws. Many of us have probably heard of different versions of it by now. Notice that they vary in number and nomenclature but all point towards the same goal: give people control over how their personal data is processed. There are others, however, that still find it too technical to comprehend.

Recognizing this, research and consultancy firm, the LIGHTS Institute, developed a five-part Data Privacy Test. It is meant to encourage people to take the time to identify any red flags in their data processing activities by asking five simple questions:

1. Is it necessary? These days, any time our personal data is subjected to data collection activities it is almost always in exchange for something. It may be a perk, a chance to win a prize, or access to something or somewhere. It seems people have largely accepted it as a norm. But as a responsible organization, you have to ask yourself if processing personal data is really the only way to achieve your goals. Remember, using personal data entails risks and compliance requirements. Are you ready to take on such additional responsibilities? Do you think the benefits outweigh the risks?
   

2. Is there a less intrusive means? Having determined that it is necessary, there usually are several ways one can go about meeting its objectives. You can, for instance, decrease the personal data to be processed or use a simpler and safer technology. You need to choose the method that protects individual privacy the most.
   

3. Is it legal? Necessity does not always equate with legality. As is true in other aspects of our lives, there are parameters that we need to recognize and respect if we are to be allowed to process personal data. For this reason, you need to identify all the laws and policies that apply to that which you are about to do, and single out those provisions that justify your data processing. If in the end you come to the conclusion that there is actually no such provision, that is a sign for you to seriously reconsider your plan. There are, after all, serious consequences when one breaks the law.
   

4. Is it expected? Even with the prevalence of data collection in modern daily life, there are still many people who are unaware or have no idea that their personal data is being processed or how. And it’s not due to an apparent lack of willingness and effort to know on their part, but rather because businesses and governments are often not transparent about their data processing activities. In some cases, they really make it hard for regular folks to understand their systems. It’s as if they’ve forgotten that necessity and legality are not valid excuses for their abject lack of transparency. Sure, there are exceptions to the rule. But people should generally be aware you are processing their personal data before you go about doing so. And when you explain it to them, it should be in a language they understand, and in a medium they have ready access to.
   

5. Can you protect it? Personal data can be business assets, but they are not just that. Keep in mind that they are tied to an individual whose lives stand to be affected when those data become compromised. Since risk is inherent in data processing, you, more than anyone else, must know what dangers lie out there if you move forward with whatever data processing it is you want to do. You then need to adopt all appropriate means to prevent them from happening, or at least to minimize their impact. There is that old saying among information security professionals: if you can’t protect it, do not collect it.

Just by asking these simple questions, a person is able to carry out a simple yet effective assessment of a particular data processing activity—using a data privacy lens. If you answer at least one question in the negative, then you have an issue on your hands. Before proceeding with your plan, you would have to address it first. Here, it is worth remembering that personal data processing is, more often than not, a privilege and not a right. Data privacy, on the other hand, is a fundamental one in a growing number of jurisdictions.

To learn more about compliance with the Data Privacy Act of 2012, its Implementing Rules and Regulations and relevant issuances of the National Privacy Commission, join the LIGHTS OLS: DPO ACE I on 23-24 February 2023 from 9AM to 4PM. For more information, visit www.lightsinstitute.com or inquire at learn@lightsinstitute.com.

This article first appeared on Rappler #CommunityPartner on Jan. 26, 2023.