While researching and writing this topic, keep in mind the Logical Model to differentiate between input, activities, output, outcome, and impact.
The analysis should focus on the voluntary sharing of customer information, what kind of data is being collected and shared, and how this impacts the customers.
The introduction should provide more information about how privacy breaches contribute negatively to society and its impact. This will help the reader make an educated assumption about the impact the company has.
It should assess the amount of personal data sharing that happens, along with the consequences of it.
The focus should be on how this impacts customers - not how it may impact business or profit, although these things can be included as a motive for sharing personal information.
Read more on how to build a strong introduction in this article.
The core analysis needs to address how much data is collected from customers (and sometimes employees), and whether it is sold to third parties, or if third parties have access to it.
The number of customers should be stated, and whether this is a systematic process they do with all customers, or whether specific ventures with portions of their customer base’s data are compromising privacy (or both).
It is important to address what kind of information is being collected and distributed - whether it is financial data, data on activities, etc.
You should also explain what kind of third parties are getting access to the information, and what they might do with it, and how this might affect the customers involved.
Focus: voluntary selling and sharing of users' data
The introduction should provide more information about how data tracking contributes negatively to society and its impact. This will help the reader make an educated assumption about the impact the company has.
Note that an infringement or breach of contract/Terms & Conditions is not always necessary to analyze the impact of the company’s actions, products, services, or policies. You can still measure the impact of Facebook and the likes, who sometimes abuse their users' privacy by using the information they held on them without their full understanding of its use.
In your analysis, try to go beyond reporting the voluntary selling of data and measure the social impact it has had on individuals. You can use studies as proxies. Learn more in the article Step 5: Assess scale and value.
Secondary: Significant data breaches
The introduction should provide more information about how data breaches contribute negatively to society and its impact. This will help the reader make an educated assumption about the impact the company has.
Beyond negatively impacting the company, data breaches and cybersecurity attacks have short and long-term consequences on employees/clients/consumers’ lives. They can result in identity theft, fraudulent credit card activity, and emotional challenges such as stress on a more interpersonal level.
In your analysis, try to go beyond reporting the data breach(es) and measure the social impact it has had on individuals. You can use studies as proxies. Learn more in the article Step 5: Assess scale and value.
An analysis of one specific breach (data breach or privacy breach) takes the risk of being anecdotal. We do not want to report every single breach that a company has faced. This kind of event is only useful if it serves to illustrate a broader issue, e.g., a history of repeated dishonest behaviour, neglect, and lack of regulation from the company to many of its clients/employees/users.
Unless the breach and underlying wrongdoing are so significant that it would in itself justify a dedicated analysis, you should broaden the impact analysis to the larger issue, not just the specific breach. Read more here on finding the right granularity level.
For both topics, make sure to describe the scale of the impact by taking into account:
The impact is not just the number of people affected, but how they were impacted. It is not because the data of, for instance, one million people have been exposed that the impact is necessarily significant. An analysis can discuss a case concerning a few hundred/thousand people if there is a tangible outcome. The impact is considered significant when this number of people (few thousand) have been victims of monetary losses, identity theft, etc., and this has been quantified.
1/ The breadth of the impact
Is the impact local, national, or global?
How many people are affected? Thousands? Millions? Billions?
2/ The depth of the impact
Is the life of people concerned deeply affected, or does the issue just marginally impact them?
Are the changes brought by the issue profoundly changing society?
3/ The persistence of the impact
You can also use studies on the impact of data privacy as proxies. Learn more in the article Step 5: Assess scale and value.