In today’s economy, organizations must constantly adapt and innovate to succeed. That’s been the case for Appriss, as we’ve evolved over 26 years from a two-person startup into a global enterprise with more than 1,000 employees in three business units offering numerous solutions that mitigate risk, improve the quality and efficiency of patient care, and improve retail performance. As new and diverse customer needs emerged, the company adopted a formal process to evaluate opportunities for products and services to ensure compliance and public benefit.
The Appriss for Good Assessment (“AFGA”) program is an essential component of our organization’s overall data governance program. The assessment is designed to ensure that data privacy, security, and ethical considerations are incorporated into each product and service during the earliest stages of development, and to appropriately document our compliance with our responsibilities as required under U.S. and global data protection laws.
Privacy By Design
The Appriss legal compliance team took on the task of developing AFGA as a privacy impact assessment program that would best serve our three business units with their distinct solutions and services and regulatory requirements. It was important for the resulting program to meet the General Data Protection Regulation, a law regulating data protection and privacy in the European Union and European Economic Area, to fulfill requirements of our operations in the EU. Although GDPR is not applicable to all Appriss business units or solutions, it sets a best practice for data use and governance. AFGA is also rooted in the Privacy by Design concept, an international best practice that calls for privacy and human values to be taken into account throughout the technology design process.
The AFGA program also serves a critical business development function: Ensuring that the organization protects the privacy, security, and integrity of all data entrusted to us by our commercial and government customers. As a trusted steward of the personally identifiable, anonymized, and aggregate data we use in our analytics and processes, we take great care to prevent the unauthorized sharing or release of any personally identifiable information relating to our customers, consumers, and other protected groups. If a proposed use case involves a planned or possible risk of exposing identifiable information about an individual, special care and consideration will be applied during the AFGA use case.
The Appriss for Good Assessment
On behalf of the Appriss Insights product development team, I have completed six Appriss for Good Assessments during my tenure.
An assessment is conducted during the earliest idea stages of development to test its viability under applicable legal, ethical, security, and business requirements.
A review committee, comprised of members of the company’s legal, compliance, information security, and executive leadership teams, works to identify, examine, and troubleshoot the data protection and general development hurdles that a proposed use case might encounter.
Pre-approval must come from an executive sponsor, usually the president of a business unit, before any use case can be submitted for review by the committee. Project teams are required to provide to provide justification, such as commercial viability or adherence to growth plans.
A comprehensive project description is submitted to the review committee with the following information:
- A description of the benefits to the general public;
- A list of all specific data elements used in the project;
- Plans for avoiding unauthorized function creep, ensuring data quality and minimization, and commitment to the “Privacy by Design” approach to product development;
- Project scope; and
- Potential risks of the project and anticipated plans for risk mitigation.
Next, the project team leader meets with the review committee to provide an overview of the project use case followed by an independent review by the committee. As they continue to review the submission, the committee may ask the project team leader to follow up with additional information or provide action items to complete prior to entering the approval phase. Their review will continue until all final items and requests are addressed.
The proposed use case requires an initial approval from the legal compliance and information security representatives of the review committee. Approval will be granted, denied, or delayed based on their individual areas of expertise as well as the totality of the submission. If initial approval is granted, the use case proposal will be escalated to the final approval phase, in which the executive leadership team reviews all information collected during the AFGA process.
Select members of the project team, including the executive sponsor, the team leader, and any other essential team members, then present a proposal for final approval. In the majority of instances, proposals have been fully discussed and vetted prior to this stage, and approval is granted. Occasionally, the project team may be asked to gather additional evidence or modify the project plan in order to receive final approval.
Not a "one-and-done" approach
In a recent survey conducted by ISACA, an international professional association focused on IT governance, a majority of participants say their organization’s privacy programs are more likely to be driven by a combination of compliance and ethics than compliance alone.
While many organizations are embedding data privacy and appropriate use assessments into their business growth strategy, the pace must quicken. Evaluating data use cannot be a “one and done” approach. As noted by McKinsey, the larger the company, the higher its exposure to risk. As customers prioritize data privacy, they expect providers to maintain transparency and ethical policies related to data use.
Driven by our company-wide “knowledge for good” mission, Appriss works to put people first and fulfill a societal benefit in everything we do. That’s why the AFGA process is both critical to the organization and reassuring to employees. As team members, we are empowered to drive innovation while also ensuring that the solutions we provide not only meet legal or compliance standards but are also in the best interests of the public.