The right to privacy is a fundamental human right, and a crucial part of being a free human being. Privacy fosters trust and individuality. A society without privacy is not free, creative, nor sustainable.
For organizations, managing privacy is about legal compliance, trust, ethics, and reputation. An organization that can protect people's data, shows responsibility and commitment to its customers' and employees' interests and well-being.
Our story dates back to 2014 when some of us were working in Finnish gaming companies. To understand how various mobile games actually worked, we ended up drawing with pen and paper a wall full of data-flows. From that, an idea started to form of a software tool that visualizes data-flows and automatically identifies privacy risks and applicable legal requirements across the globe.
Now that years have passed since the GDPR and other privacy legislations have been applicable, we've seen that the root problem in data protection work has been shallow understanding of the interplay between business, ICT, and legal requirements.
Based on our experience, we can say there is still a great lack of data controller oversight on the network of IT systems, databases, and supply chains, where personal data is flowing. It leads to the loss of control of the ’data controller’, who should have a control. This is partly due to the fact that modern data protection as an industry is still relatively young and best industry methods are still forming.
A specifically hard problem has been that data protection and privacy impact assessments (PIAs and DPIAs) on products and services are often conducted from too narrow and thus flawed perspective. Therefore, products and services are still rare on the market that are truly privacy and data protection -friendly. We strive to change this, and help companies to develop products, services and workplaces that reach to high standards in privacy and data protection.
Visualizing makes privacy approachable to your staff and reveals hidden privacy risks to tackle the aforementioned root problem of data protection work. We designed our software so that it guides to conduct DPIAs / PIAs by first drawing a data-flow map. As teams participating in the DPIA/PIA process are identifying systems, organizations, countries, and personal data in the data-flow map, the software simultaneously triggers automatic ’compliance controls’ that detect legal requirements to be documented. You can think it as if a privacy lawyer was in the room pointing out legal aspects, as your team is designing or assessing services and processes.
The beauty of the approach is that it pushes people to see and think all aspects impacting on privacy. Once all the company’s products, services and processes are described and assessed, the company has a full view of the company’s privacy risk and compliance status. Consequently, the content for the Record of Processing Activities -report is formed by itself, increasing an organization’s readiness to demonstrate accountability.
The approach of starting from data-flow maps differs completely from the vast majority of data protection software tools currently on the market. A too common approach for many has been just a series of tick-in-the-box forms to be answered by employees. That approach leaves privacy vague and abstract, whereas data-flow maps bring visual intuitivity and understanding to tackle the underlying privacy risks and compliance issues.
Although some people still prefer the outdated way of assessing data protection compliance by just filling forms, the core of the problem remains unsolved in that approach, because it leaves crucial technical aspects of personal data processing being unidentified.
For this very problem, visualization with data-flow maps and automatically letting the software to detect risks and applicable legal requirements has proven to be the best method to achieve truly comprehensive and in-depth DPIAs / PIAs. Applying this method unveils privacy risks that often remain hidden, and consequently gives an accurate view of an organization’s privacy risk and compliance status.
All in all, data protection and privacy are not just important for businesses. Societal aspects of privacy are also critically important. For that reason too, it is of high importance that organizations’ are adopting truly effective methods to assess privacy impacts accurately. In the end, it will have an important role how companies and products are developed, and how our societies will remain capable of protecting individual rights and democracies in the years and decades ahead.
PrivacyAnt | Franzéninkatu 21 A | 00500 Helsinki, Finland
CTO + developers
Chairman of the Board