Roughly two years ago I began working with the brilliant folks at PrivateStorage on a Data Protection Impact Assessment (DPIA) for their namesake product - a truly end-to-end encrypted cloud data storage application unlike most others in this crowded space (https://private.storage/).

Both the engineers and leadership @ PrivateStorage saw the value in having published evidence that the application itself was not only secure and effective, but also that it demonstrated proper implementation of privacy and data protection by design. Anyone can claim they are 'GDPR Compliant' or boast that they 'take your privacy seriously' but if users can't see what's going on under the hood, it's hard to distinguish fact v. fiction. If those claims are never tested, it's harder still to separate the bullshit and hype from the real.

Was a DPIA necessary in this case? Under a strict legal reading, almost certainly not. But that's not the point of a DPIA to me, my colleagues at Castlebridge, the team at PrivateStorage, or their parent company, Least Authority. For us, it's as much an exercise in understanding and embracing 'data protection by design and default' principles. It's about true transparency, not privacy theater. It's a way to show that the words in your privacy notice, the promises you make about data, and the commitments in your contracts actually stand for something. It demonstrates the real.

Publishing a DPIA goes one step further -- it tells the world that data protection isn't just a compliance burden -- its part of your company's vision. It's a differentiator in the market. I'm so happy that the team came to me all those years ago, fixed the risks we identified, and have now published the DPIA in full for everyone to see.
https://lnkd.in/efTzKFxB

It's my hope that more organizations will follow PrivateStorage's lead and see the value in undertaking and publishing DPIAs. Fortunately, the folks at Least Authority do see this value, and we’ve begun working together to merge privacy and security audits under one umbrella. And Least Authority has a track record of not only providing stellar support in finding and remediating security issues, but also in publishing the outcomes. Just like we've gradually embraced a culture of publishing security audits and pen tests, I'd love to see these sorts of data protection audits feature more prominently in company collateral. And so, I think, would your customers, users, and employees.

I’m excited to share that in collaboration with Least Authority, we’ll be offering comprehensive security and data protection impact audits — and encouraging clients to publish. In my opinion, a published privacy audit or DPIA should be as commonplace as a published security audit. A positive badge of honor, demonstrating a company’s commitment to protecting personal data.

Least Authority has a great write-up about our collaboration here. As always, if your organization is interested in identifying areas where technical and organizational measures could be improved, building better, more secure, resilient, and privacy-preserving systems, please reach out.