Any reasonable implementation of privacy requirements can not be made through legal compliance alone. The belief that a software system can be developed without privacy being an integral engineering concept and that a privacy policy is sufficient as requirements or compliance check is at best dangerous for the users, customers and business involved.
While requirements frameworks exist, the specialisation of these into the privacy domain have not been made in such a manner that they unify both the legal and engineering domains. In order to achieve this one must develop terminological or ontological structures to aid communication between these domains, provide a commonly acceptable semantics and a framework by which requirements expressed at different levels of abstractness can be linked together to provide refinement of these in some form. One interesting effect of this is to almost completely remove the terms ‘personal data’ and ‘PII’ from common usage and to force a deeper understanding of the data and information being processed.
Once such a structure is in place and even just partially or sparsely populated this provides a formal framework by which not only requirements can be obtained, their application (or not) be justified and a proper risk analysis made. This has further advantages in that privacy requirements and their potential implementations can be explored through the software development process supporting ideas such as agile methods and ‘DevOps’ rather than being an ‘add-on’ exercise - a privacy impact assessment - inappropriately executed at inappropriate times.
No comments:
Post a Comment