ONCE upon a time, there were three little Blue Dots who had to leave home and travel far and wide for an errand.
"You will start out together; but you, Little Sister Blue Dot, will stay with the nuns at the monastery in France. They wanted more blue in their paintings," said Big Mother Blue Dot.
"Macho Older Brother Blue Dot, I need you to go to Brazil," she added.
"Can I go to Argentina later?" Macho Older Brother Blue Dot asked.
"There's a multi-colored dot party happening later this month."
"Finish your job first; I'll think about that if you do a good job," said Big Mother Blue Dot.
"And you, Little Blue Dot, will travel around the world with your sister and brother, but come back to me. You'll probably be grown up by then," said Big Mother Blue Dot, with a tear in her eye.
"Do we go now, Mother?" said Little Blue Dot, eager for an adventure.
"No. First, we plan," said Big Mother Blue Dot, and the Blue Dot family spent the next few days talking about the details of the trip. Should they go to France first, or Brazil? Should they take a plane, or a ship? What's the weather like by the time they get there? Do they need to bring jackets, or an umbrella?
The trip went exactly as planned; Big Mother Blue Dot was very careful, and saw to it that no detail was overlooked. The little Blue Dots had umbrellas when it rained, and jackets when it was cold. They knew when to leave these behind, too, so they could travel as lightly as possible. And, as Big Mother Blue Dot expected, Little Blue Dot had changed by the time he got back home, alone.
Little Blue Dot was beginning to settle in when news of a fire in a monastery in France broke out. At the same time, there was a news item about hundreds of dots being taken hostage during a multi-colored dot party in Argentina.
Little Blue Dot panicked, but Big Mother Blue Dot was calm: "We know where your sister is. Find out where the fire is, before you panic. I'll check where your brother is."
Everything was settled within 30 minutes: the fire was in a different monastery, and Macho Older Brother Blue Dot was still in Brazil, though about to leave for Argentina. The multi-dot party he wanted to attend was a different one.
The story ends happily: Macho Older Brother Blue Dot had done such a good job that Big Mother Blue Dot still allowed him to party, but sent in additional security, just to be sure; she also asked someone to check the security at the monastery where Little Sister Blue Dot was staying.
Little Blue Dot, at home with his mama, took notes and promised to himself that when the time comes, he will protect his children as carefully as Big Mother Blue Dot did when the three little Blue Dots had to go out in the world alone.
The Privacy Impact Assessment (PIA) is, in essence, a story of travel. It's a way to track the personal data collected in a system, from collection to deletion, and look for risks to that personal data as it is processed. Where is Little Blue Dot staying? Is it safe? How does he travel, what system is being used? When he moves from one system to another, is he safe? Who will be responsible if something happens to Little Blue Dot?
The identified risks are assessed, and then managed: In case the data is lost, or stolen, what is the impact? Can it be passed on, shared, or minimized? Has the Personal Information Controller (PIC) -- the one doing the data processing - done all it can to secure the data?
It's a perilous world out there, especially for our personal data. The pandemic has forced more and more people to go online: to learn, to transact, to do business, or even just to meet up with friends. Yet not many are aware of the risks they take on when they go online, and cybercriminals, knowing this, have scaled up their attacks.
The least we can do, then, is to try and protect our personal data. This responsibility is shared with the PIC, because the one collecting and processing the personal data is the one in control; data subjects can only ask about the measures taken to protect the data. If unsatisfied, the data subject can only object, and walk away; he/she can't change the way the personal data is processed.
Unfortunately, many data subjects aren't taking care of their personal data: because they don't know the risks, they don't know what to do and most importantly, they don't know their data subject rights.
Though the Data Privacy Act requires companies processing personal data to appoint a Data Protection Officer (DPO), many PICs still don't have one. Some because they don't know it's required, others because they haven't even heard of the law. Some of the appointed DPOs are assigned other roles as well and, unfamiliar with their new tasks, end up neglecting their DPO duties.
So the next time someone asks for your personal data, try asking how it will be processed, stored, and deleted. It's the least you can do for your personal data.
***
Dana Batnag heads the policy and risk management section in the data privacy office of a private company. She may be contacted at yourdataprotectionofficer@protonmail.com.