Skills4Good AI

Data privacy is an individual’s right to be free from intrusion into their personal information. Privacy and data protection laws protect the right of individuals to control how their personal information is collected, used, shared, and stored.

No, however, they are very related concepts. Data privacy is focused on the use and governance of personal data – things like putting policies in place to ensure that consumers’ personal information is being collected, shared and used appropriately.

Security focuses more on preventing unauthorized access to data through breaches and leaks, protecting data from malicious attacks, and exploiting stolen data for profit. While security is necessary to protect data, it’s not sufficient to address privacy.

Source: IAPP

Compliance means ensuring that you meet the requirements of a regulatory standard or law. There are many situations where an organization’s compliance requirements are designed to protect an individual’s data privacy rights. Data protection laws and regulations typically consider privacy and security in tandem.

Privacy Accountability is the requirement to take responsibility for protecting personal information. It is not a box-ticking exercise.

An accountable organization needs to undertake the following:

• It is responsible for complying with privacy laws. This means it is proactive and organized about improving its privacy practices as it stays ahead of ever-evolving privacy laws.
• It can demonstrate its compliance with privacy laws. This means it can present evidence of its steps to comply with privacy laws.

An accountable organization must have an effective Privacy Management Program (PMP) to achieve Privacy Accountability.

A Privacy Management Program (PMP) provides an effective way for an organization to demonstrate Privacy Accountability.

An organization’s PMP demonstrates its compliance with privacy laws. This means it can present evidence of its steps to comply with privacy laws.

Beyond compliance, a PMP helps foster a culture of privacy throughout an organization. Embedding privacy into all an organization’s business processes creates a culture of privacy protection. This encourages staff to be more forward-thinking and engaged. Through early identification of potential privacy risks, a more privacy-protective environment is established.

Source: priv.gc.ca and AICPA

A Privacy Management Program helps you demonstrate compliance with all relevant privacy laws to your customers, employees, and shareholders.

A Privacy Management Program helps you:

• Avoid legal fines and penalties
• Mitigate risks and liabilities
• Enhance your brand and reputation
• Increase revenues
• Build stakeholder trust as a competitive advantage
• Protect privacy and other human rights
• Go beyond compliance and achieve the UN Sustainable Development Goals (SDGs)

Your risks for not having a Privacy Management Program are:

• Fines and penalties. These can be as much as $20,000,000 or 4% of your worldwide turnover for the preceding financial year. (Source: gdpr.EU)
• Loss of customer trust and reputation. Small businesses are the victims of 43% of data breaches. (Source: Verizon)
• Revenue losses. The average cost of a data breach is $3,920,000 (Source: IBM)
• Productivity losses. It takes an average of 206 days to identify a breach and 73 days to contain a data breach (Source: IBM)
• Business disruption. The average cost of recovering from a data breach is $1,700,000 (Source: IBM)

Data Subject Access Requests (DSARs) are  privacy rights that allow individuals (or “data subjects”) to request copies of the personal data that organizations hold about them. This includes information identifying an individual, such as their name, address, or date of birth.

DSARs gives individuals the right to know what personal data is being collected about them, why it is being collected, and how it is being used. They also allow individuals to request that their personal data be deleted or destroyed if it is no longer needed. DSARs also give individuals the right to object to using their data for specific purposes, such as direct marketing.

US state and international privacy laws codify an individual’s privacy right to file a DSAR. Governments now explicitly recognize that data privacy is a human right, and thus, individuals should have control over their data.

For organizations that fall under the scope of privacy laws that provide DSAR rights, responding to DSARs is not optional. Ignoring DSARs or not responding to them within the statutory deadline will result in fines and penalties, not to mention damaged reputations. Thus, organizations must establish a DSAR process or find an organization to manage the DSAR process for them.

When an organization receives a DSAR, it needs to search through various sources that contain information about the individual. For example, such sources include HR records, emails, physical documents, spreadsheets, recordings, and presentations.

A 2022 DataGrail privacy trends report noted that companies are processing nearly double the number of DSARS than they did in 2020 to comply with California’s California Consumer Privacy Act (CCPA).
This is expected to increase as more US states, including Virginia, Colorado, and Utah, enact new privacy laws that give individuals new DSAR rights.

The report also revealed that the cost of processing DSARs jumped from US $192,000 per one million individual identities to roughly US $400,000 per one million individual identities year over year. About 27 US states are in the process of enacting privacy laws in their jurisdictions.

Responding to DSARs can be complex and time-consuming. Privacy laws typically require organizations to respond to DSARs within a specific timeframe, usually 30 days. Complying with these time limits can be challenging, especially if the organization does not have a streamlined DSAR response process.

In some cases, it may be necessary to hire additional staff or engage an outsourced privacy compliance firm to ensure that all DSARs are responded to promptly and promptly. These steps will help ensure that your organization can effectively respond to DSARs while complying with all applicable privacy laws.

To comply with a DSAR, you must take reasonable steps to identify the individuals or “data subjects” who filed the requested information. This can be time-consuming, primarily if your data is poorly organized or comes from various sources.

To comply with privacy law, you must have a systematic process to authenticate the identity of individuals who filed the DSAR. Identifying data subjects is essential to compliance with privacy law, and organizations should ensure that they have adequate processes and systems in place to do so.

Once you have identified the data subjects, you will need to locate all relevant data relating to those individuals. This can be challenging if the data is spread across different systems or storage devices. To make things easier, it’s essential to create a data inventory.

Data inventory is the process of collecting and organizing data from different sources. This data inventory can then be aggregated and used to provide insights. By having this information in one place, you’ll be able to quickly and easily locate the data that you need for your DSAR. Moreover, your data inventory will help improve efficiency and collaboration across your organization.

One of the challenges of responding to a DSAR is anonymizing or aggregating the data. Data anonymization is the process of removing personally identifiable information. Data aggregation is the process of combining data from multiple sources into a single data set. These two processes are often used together to help protect the identities of data subjects.

When organizations perform these two processes, it becomes even harder to identify individuals. However, conducting these processes may not always be practical, and you will need to weigh the privacy rights of the data subjects against other legitimate interests.

A Privacy Impact Assessment (PIA) is a process which helps an organization identify and reduce the privacy risks of a project, product or service. Its goal is the minimization of privacy risk. It enables an organization to systematically and thoroughly analyse how they will affect an individual’s privacy.

An effective PIA is conducted on any project, product or service that involves personal data or could have an impact on the privacy of individuals. It is conducted throughout the entire lifecycle of a project, product or service, from the development phase to the implementation and monitoring phases.

It is the right of an individual to control, edit, manage and delete information about themselves and to decide how and to what extent such information is communicated to others.

Data privacy risk is the risk of harm arising through use or misuse of personal information. Examples include cases when personal information is:

• Inaccurate, insufficient or out of date
• Excessive or irrelevant
• Kept for too long
• Disclosed to third parties without consent
• Not kept securely

In some jurisdictions, conducting a PIA is required by law. In others, even if it is not (yet) required, governments highly recommend that organizations conduct a PIA because of the many benefits it provides.

• It effectively demonstrates to government how your organization is complying with its privacy obligations under the law
• It reassures individuals that your organization is following best practices in respecting individual privacy
• It improves transparency and makes it easier for individual to understand how and why your organization is using their information
• It improves how your organization uses information which should positively impact individual privacy
• It reduces your organization’s liability risk for violation of its privacy obligations under the law

These questions will help you decide whether your organization needs to conduct a PIA. If you answer “yes” to any question, then your organization will greatly benefit from conducting a PIA.

Will the proposed or current project, product or service involve:

• Collecting new information about individuals?
• Using individual information for a purpose or in a manner it is not currently being used?
• Compelling individuals to provide information about themselves?
• Disclosing personal information to third parties?
• Using new technology which may impact privacy (i.e. biometrics, facial recognition, surveillance)?
• Making decisions that impose high-risks on individuals (i.e. employment, health, financial access)?

It was created for professionals who currently use big data and AI systems in their daily work, or will do so in the near future. The Program covers the technical, ethical, legal and societal impacts of AI development. This program provides a foundational understanding as to what constitutes Responsible AI including baseline awareness of risks and limitations associated with AI systems. It will enable individuals to operationalize ethical AI considerations in their daily work. This Program does not require an individual to have a computer science or technical background in order to take the courses.

Yes, you may buy an individual course if you wish to focus exclusively on a specific topic. However, we highly recommend that you purchase the 3 courses comprising the Responsible AI Program if you wish to acquire a rich, multi-disciplinary perspective of Responsible AI’s various facets. In this way, you will learn how AI uniquely impacts society from the viewpoints of technology, philosophy, ethics and law.

Yes. Please contact us.

Once you enrol in the course, you’ll have immediate access to the course.

The Responsible AI Program is comprised of 3 self-guided online courses that you can take at your own pace anytime and anywhere.

We designed the lessons in short segments so that you can take each program module in ten minutes or less. It will take about 3.5 hours to complete the Program. Each course will take about 1 to 1.5 hours to complete.

You can access the course for 180 days from the date of your enrolment in the course. If you do not earn your course completion certificate within 180 days, your registration will expire and you will need to pay to re-enroll for the course.

You can request a full refund or cancellation up to 7 calendar days after confirmation of your paid enrolment, provided you have not started any lesson in the course or Program.

After 7 days, if you have already started a lesson, you will not be entitled to any refund or cancellation from Skills4Good.

You can review our copyright policy through this link.

Yes. After you complete the course, you will automatically receive a Certificate of Completion for the course.