Data Privacy & Security

Key takeaways

In your analysis:

  1. Only report massive data breaches or privacy breaches. No breach means no impact. You should therefore avoid writing an analysis just on the strength or weakness of the data protection measures or policy of a company.

  2. Do not report privacy or data breaches that have touched less than a million persons, unless the depth of the impact has been significant (e.g., victims having suffered serious financial loss, having lost their jobs, or having seen their reputation and social life seriously harmed, etc.) and its persistence (e.g., if the company has a poor track record)

  3. Concentrate on the consequences of the breach for the victims, not the breach itself (i.e. document the outcomes and impacts, not just the event)

What is it?

Data privacy or information privacy is a branch of data security concerned with the proper handling of data – consent, notice, and regulatory obligations. More specifically, practical data privacy concerns often revolve around: Whether or how data is shared with third parties.”

“As software and IT services companies increasingly deliver products and services over the Internet and through mobile devices, they must carefully manage two separate and often conflicting priorities. On the one hand, companies use customer data to innovate and provide customers with new products and services and to generate revenues. On the other hand, there are privacy concerns associated with companies having access to a wide range of customer data, such as personal, demographic, content, and behavioral data. This dynamic is leading to increased regulatory scrutiny in many countries around the world. The delivery of cloud-based software and IT services also raises concerns about potential access to user data by governments that may use it to limit the freedoms of citizens.”

“A data breach is the intentional or unintentional release of secure or private/confidential information to an untrusted environment.”

Source

https://www.sasb.org/wp-content/uploads/2019/08/SASB_Software-IT_Brief.pdf

https://en.wikipedia.org/wiki/Data_breach#:~:text=A%20data%20breach%20is%20the



SDG choice

Most used SDGs include:

✅ SDG 3

✅ SDG 9

✅ SDG 16

But other SDG might be relevant depending on the impact




This article, about cybersecurity, can help you identify the correct SDG for your analysis.

Impact assessment

While researching and writing this topic, keep in mind the Logical Model to differentiate between input, activities, output, outcome and impact.

An analysis about one specific breach (data breach or privacy breach) takes the risk of being anecdotal. We do not want to report every single breach that a company has faced. This kind of event is only useful if it serves to illustrate a broader issue, e.g. a history of repeated dishonest behaviour, neglect, and lack of regulation from the company to many of its clients/employees/users.

 

Unless the breach and underlying wrongdoing is so significant that it would in itself justify a dedicated analysis, you should broaden the impact analysis to the larger issue, not just the specific breach. Read more here on finding the right granularity level.


If your analysis is about a data breach 

  • The introduction should provide more information about how data breaches contribute negatively to society and its impact. This will help the reader make an educated assumption about the impact the company has.

  • Beyond negatively impacting the company, data breaches and cybersecurity attacks have short and long-term consequences on employees/clients/consumers’ lives. They can result in identity theft, fraudulent credit card activity, and on a more interpersonal level, emotional challenges such as stress.

  • In your analysis, try to go beyond reporting the data breach(es) and measure the social impact it has had on individuals. You can use studies as proxies. Learn more in the article Step 5: Assess scale and value.



If your analysis is about the breach of user’s privacy

  • The introduction should provide more information about how privacy breaches contribute negatively to society and its impact. This will help the reader make an educated assumption about the impact the company has.

  • Note that an infringement or breach of contract/Terms & Conditions is not always necessary to analyze the impact of the company’s actions, products, services or policies. You can still measure the impact of Facebook and the likes, who sometimes breach the privacy of their users by abusing the information they held on them. Alternatively, analyses can also be written on companies who are doing well on this matter. 

  • In your analysis, try to go beyond reporting the privacy breach(es) and measure the social impact it has had on individuals. You can use studies as proxies. Learn more in the article Step 5: Assess scale and value.



For both topics, make sure to describe the scale of the impact by taking into account:


1/ The breadth of the impact

  • Is the impact local, national, or global?

  • How many people are affected? Thousands? Millions? Billions?

 

As a rule of thumb, if it affects at least 1 million people, it is considered significant. Although, please bear in mind that this is not always the case, as, at times, it could be considered unfair to expect an impact to touch that many lives. Thus, this is flexible.

 

2/ The depth of the impact

  • Is the life of people concerned deeply affected, or does the issue just marginally impact them?

  • Are the changes brought by the issue profoundly changing society?

 

3/ The persistence of the impact

  • How long would the impact described last for? Months? Years? Decades?

  • How reversible is the impact described in the impact analysis? Can it be easily stopped/extended?

 

You can also use studies on the impact of data privacy as proxies. Learn more in the article Step 5: Assess scale and value.

Recommended articles