Need to trigger data protection impact assessment
Michael Irene is a data and information governance practitioner based in London, United Kingdom. He is also a Fellow of Higher Education Academy, UK, and can be reached via firstname.lastname@example.org; twitter: @moshoke
March 8, 2021708 views0 comments
Mark started working with this new fintech company as one of the software developers. He knows how to make products that make customers’ life easy. Now, his new employers want him to manage and produce a product for delivery before the end of the quarter.
Excited, Mark gathers his team, and they begin to look for the best way to build the product without necessarily disrupting the existing business. Mark settles to create the product, and since there is no data protection officer within their company, Mark pays no attention to data privacy-by-design or a data protection principle during the production stage. There is no principle of data minimisation, encryption methodologies, retention and deletion procedures embedded in the new product. Plus, to meet deadline, Mark and his team built the product fast.
The founder of the fintech company, Seindemi, thinks that the product is super cool. He calls for a meeting and asks for a full presentation of this new product’s functionalities. He’s proud of his team.
Seindemi, a boisterous entrepreneur and a thinker of magnanimous ideas, quickly launches the product with fanfare. He calls journalists, salespeople and recognisable personnel within the tech industry to witness the unveiling of a new product that would change the face of banking in Nigeria. Everyone, as expected, was wowed by the product and what it would do. They couldn’t believe that such products can be made in Nigeria and made by Nigerians.
Months went by, and the product itself began to generate media hype. The type of publicity that most chief executive officers don’t like. A breach happened. There was a public publication of customer’s sensitive personal information after integrating this new product into their existing account as advised by the company. One of the customers took to social media and explained how the whole thing happened.
Before now, she had been enjoying the services provided by this fintech company. The platform, the service and every other thing about them met her requirement. There was no complaint.
Then, she found out that she could even get better services if she attached this all-new add-on the founder spoke about on various media platforms. As a loyal customer, she quickly added the said tool to her account. And since then, everything went south.
First, someone initiated a bank transfer from her account, which she didn’t authorise. She mentioned it to the bank; they returned her money and told her it would never happen again. Next, she started getting text messages from agents telling her about surgical implants, a secret thought which she googles about every now and then. Then she saw her bank account details published on a website.
She took it to social media and narrated her ordeal. Her boldness inspired other frustrated customers to share their experience.
The founder, furious now, came out to dish out apologies and promised to take care of the situation. But, by the time he announced this, over ten thousand customers had left. If Seindemi had paid attention to privacy and its principles of data protection impact assessment, he would have been able to point this problem out before launching the product. Furthermore, if he had an appointed data protection officer, they would have been able to advise on the appropriate data privacy steps during product development.
Companies, regardless of the industry, must always know when to trigger a data protection impact assessment before launching a product and always endeavour to attach the privacy-by-design principle when developing a product. These steps will help them avoid reputational damage and build products that have minimal data privacy risks.