Data Privacy Compliance

The past couple of months have been fulfilling and engaging for me. Truth is, it was not easy as I had thought before jumping into the testing waters of curiosity. First, I completed my McKinsey forward learning program at Mckinsey Academy.

Second, I launched legallyyoruba (https://youtube.com/@LegallyYoruba?si=OuJ8PiCrMk1Okibe), a platform dedicated to enlightening laymen and uninformed Nigerians in Yoruba language about legal nuggets, to keep them informed of their basic rights, protect them from unintentional violation of law and keep Nigeria a more law conformist society. These, among other engagements are just tit-bits of my engaging months.

To cut to the chase on Data Privacy compliance, It was a stimulating intellectual adventure for me to have completed an engaging course on Privacy Compliance; Privacy law and Data protection from the University of Pennsylvania (Coursera). During the duration of the course, I was exposed to the legal framework of Privacy and Data Protection laws in the United States and how to ensure legal compliance in the face of multiple laws regulating data processing and control.

At the end of the course, a prompt was given as the final assessment to check our approach to responding to privacy challenges. As I was graded the full score on my assessment, I have shared the Prompt and also my answer to the prompt for further engagement and discussion.

Therefore, beyond the pages of the statutes and aesthetically designed panel sessions on conversations about Privacy and Data Protection issues, efforts must be made by stakeholders in the sphere to ensure compliance with laws in order to protect the autonomy and dignity of data subjects across all layers of processing.

PROMPT

You have been hired as a compliance professional for xxx, a new meal delivery service that tailors recipes to customers' nutritional needs. xxx will soon be launching an app that collects customers' contact information, as well as information about their food allergies, diet, and health conditions.

The CEO of xxx has tasked your team with determining how to keep customers' personal information safe. Write a memo to your boss, the Chief Compliance Officer, in which you:

1) Recommend the incorporation of two fair information principles into xxx's privacy regime. Explain why you think these FIPs are particularly important to protecting customers' personal information.

2) Propose two steps the compliance team should take to ensure that xxx does not breach FTC enforcement actions and their importance.

Date: xyz

From: XXYYZZ

To: Chief Compliance Officer, xxx.

Subject: MEMORANDUM Of DATA PRIVACY COMPLIANCE FOR THE CONSUMERS OF XXX.

A. INTRODUCTION

XXX is a meal delivery service that ensures fast, accurate and efficient delivery of meal to its customers based on the data the customers provide via the App. Thus, xxx as a data controller and processor, must ensure compliance with the applicable legislations to avoid the threat of data protection agencies for non compliance.

B. FAIR INFORMATION PRINCIPLES:

1. According to the principles established by the Health Education and Welfare Department, xxx must ensure that information of the customers must not be processed without informing them or without seeking their consent.

This is to ensure that customers have autonomy in determining their data to be processed and also prevent the misuse of such data on the App.

2. As a meal delivery service, xxx may require customers' data such as address, credit card details, age, sex, food preferences, history of orders made and perhaps allergies just to mention some. Quite numerous data are to be collected via the App. As underlined by the fair information principles, they must ensure and respect the right of customers to restrict the amount of data to be processed. In simple terms, right to restrict processing of customer's data must be enforced.

The significance of this is also to reduce the risk of data breaches and let customers determine their level of exposure to insecurity.

C. MEASURES AGAINST FTC ENFORCEMENT ACTIONS AND THEIR IMPORTANCE.

The Federal Trade Commission (US) regulates commercial entities to which xxx is one. It is essential that certain measures are taken to prevent sanctions from the commission. These are:

1. Come up with a privacy policy on the App that clearly, simply and accurately inform customers of how their data are processed and the security measures taken to protect their information with xxx. The privacy policy must be carefully drafted and certain key words that could lead to eventual liabilities or complex interpretations should be avoided. For instance, avoid using omnibus terms (all, always, absolute, total) where the measures or concepts have exceptions.

The importance of the privacy policy is to ensure that customers are well informed of how their data are to be processed and protected.

2. Information security measures must be taken to standardise data security and reduce breaches that could arise from customers' information. ISO or COBIT security standards can be used to ensure compliance.

This is important to ensure organised risk assessment measures and respond to security breaches efficiently.

CONCLUSION

The measures proposed above may be amended according to the updates made to the App, and dictates of new or amended legislations.