We see that the right to privacy is a fundamental human right. A person cannot fully be an individual without privacy. Lack of privacy, on the other hand, is like corruption and pollution that damages the society and environment. When there is privacy, there is trust and individuality, which also spurs innovation, when people have more space to be themselves, and thus, can flourish for the benefit of themselves and others. For organizations, we believe that privacy is about trust. An organization that can protect people's data and manage privacy, shows that it is responsible and can deliver quality in its products and services.
Our story dates back to 2014 when some of us were working in Finnish gaming companies. To understand how those mobile games actually worked, we ended up in our data protection work drawing with pen and paper a whole wall full of games’ data-flows. That’s how an idea started to form in our heads of a software tool that visualizes data-flows and identifies automatically applicable legal requirements across the globe.
Now, years after the GDPR has been applicable and CCPA enforcement looming ahead, we see that the root problem in data protection work has been shallow understanding of the interplay between business, ICT, and legal requirements.
We have observed that there is still a lack of data controller oversight about the network of systems, databases, and partner organizations into which personal data flows to. That leads easily to the loss of control of the ’data controller’ (Sidenote: Doesn’t even the term ’data controller’ imply that there should be control over data). One reason for this is perhaps that the data protection as a major service industry is still relatively young.
A specifically hard problem has been that data protection and privacy impact assessments (PIAs and DPIAs) on products and services are often conducted from too narrow and thus flawed perspective. Thus, true high quality products and services in terms of data protection and privacy are still at the moment rare on the market. Consumers have hard time finding high quality products in terms of data protection.
We want to change this! We want to see products, services and workplaces that are of high quality in terms of data protection and privacy!
To tackle to root problem of privacy work described earlier, we designed our tool so that it forces a process to conduct DPIAs or PIAs to a company’s products, services and processes by drawing a data-flow map of the processing. As the team participating in the PIA process is identifying systems, organizations, countries, and personal data in the data-flow map, the produced data-flow map simultaneously triggers automatic ’controls’ that detect legally significant requirements to be documented, as if a privacy lawyer was in the room looking the assessment process over the shoulders of the PIA project team.
The beauty of this approach is that it pushes people to see and think all aspects impacting on privacy, and once all company’s products, services and processes are described and assessed, the company has a full view of the company’s privacy risk status. Consequently, the content for the Record of Processing Activities -report is formed by itself, increasing an organization’s readiness to demonstrate accountability.
This approach of starting from data-flow maps differs completely from the vast majority of data protection and privacy software tools currently on the market, as the most common approach is to have a series of compliance question forms to be documented.
While for some lawyers the approach of assessing data protection compliance by addressing a question after question might feel suitable, the core of the problem remains unaccounted for, if the basic building blocks forming the personal data processing are not detected.
For this very problem, visualization with data-flow maps and systematizing via software automation the detection of applicable legal and policy requirements seems like the a working method to achieve truly comprehensive and in-depth DPIAs / PIAs. Thus, when this method is applied, it unveils many privacy risks to data controllers that way to often remain hidden, and ending up in giving an inaccurate view of an organization’s privacy risk status.
All in all, data protection and privacy are not only good and ethical business. Societal aspects of privacy are also critically important. For that reason too, it is of high importance that organizations’ are adopting truly effective methods to assess privacy impacts accurately. In the end, it will have a critical role how companies and products are developed, and how our societies will evolve in terms of protecting individual rights and democracies in the years and decades ahead.
PrivacyAnt | Franzéninkatu 21 A | 00500 Helsinki, Finland
CTO + developers
Chairman of the Board