Privacy & data protection impact assessment for AI

Privacy & data protection impact assessment for AI
SIPOC process map generated by the ProcessHorizon web app

With the revised New Federal Act on Data Protection (nFADP), Switzerland is implementing new legislation to better protect its citizens' data. Swiss companies will have to comply with this legislation from September 1, 2023.

Privacy related acts and regulations are needed for several important reasons:

  1. Protection of Personal Information: In today's digital age, vast amounts of personal information are collected, processed, and shared by individuals, organizations, and governments. Privacy regulations ensure that this information is handled responsibly and securely, protecting individuals from potential misuse, identity theft, and other forms of harm.                                          > Companies to keep a register of processing activities
  2. Control over Personal Data: Privacy regulations give individuals more control over their own personal data. They establish rules for how data can be collected, used, stored, and shared, and often require organizations to obtain explicit consent before processing personal information.
  3. Balancing Power Dynamics: Individuals often have less power than the organizations and entities that collect their data. Privacy regulations help to level the playing field by imposing legal obligations on these entities, ensuring that individuals' rights are respected and upheld.
  4. Preventing Surveillance and Monitoring Abuse: Privacy acts help prevent unwarranted surveillance and monitoring. They establish limits on how governments and organizations can collect and use personal information, protecting against the potential abuse of power for surveillance purposes.
  5. Building Trust: Strong privacy regulations foster trust between individuals and the organizations they interact with. When individuals know that their data is being handled in a responsible and transparent manner, they are more likely to engage with businesses and services.                                                                        > Privacy by Default
  6. Encouraging Innovation: Clear privacy regulations provide a framework for how data can be used, which can actually foster innovation. When organizations understand the rules, they can develop new products and services that respect privacy rights while still utilizing data effectively.                                > Privacy by Design
  7. Global Interoperability: In our interconnected world, personal data flows across borders. Privacy regulations help establish common standards and practices for data protection, making it easier for international data transfers while still safeguarding individuals' rights.                                                                    > Similar to the EU General Data Protection Regulation (GDPR)
  8. Mitigating Data Breaches: Privacy regulations often require organizations to implement strong data security measures. This helps reduce the risk of data breaches that could lead to the exposure of sensitive personal information.        > Prompt notification to the Federal Data Protection and Information Commissioner (FDPIC) in case of data breaches.
  9. Transparency and Accountability: Privacy acts often mandate transparency about data practices. Organizations are required to inform individuals about how their data is used, and individuals have the right to request information about their own data. This enhances accountability and encourages responsible data handling.                                                                          > Good practice would be to provide a SIPOC process map of the processes handling personal data
  10. Legal Recourse: Privacy regulations give individuals legal avenues to take action if their privacy rights are violated. This can include seeking compensation for damages resulting from data breaches or improper data usage.

Privacy acts and regulations are crucial for safeguarding individuals' fundamental rights in the digital age, establishing guidelines for responsible data handling, and maintaining a healthy balance between technological advancements and individual privacy.

Private- and public-sector data controllers must carry out a data protection impact assessment (DPIA) if data processing is likely to result in a high risk to the personality or fundamental rights of the data subjects.

In the use case provided, a generic SIPOC process map was created for performing a DPIA in view of an AI implementation project.    

Explore the smart ProcessHorizon web app for holistic SIPOC process mapping: