Completion of PrivateStorage´s Data Protection Impact Assessment

by Aaron on Wednesday, February 7, 2024

From the initial design and development of PrivateStorage, our end-to-end encrypted, secure storage service, we made a commitment to safeguarding our user´s data and ensuring compliance with EU and US data protection regulations. Today, we're excited to share an important milestone: the successful completion of our Data Protection Impact Assessment (DPIA) in alignment with the General Data Protection Regulation (GDPR). This assessment demonstrates our dedication to privacy by design and signifies a critical step in furthering our commitment to preserve the privacy and security of our users.

For over 5 years, the GDPR has set the standard for data protection, requiring organizations to assess and mitigate any risks associated with processing personal data. The GDPR specifically requires a DPIA for processing operations that, by their nature, scope, context, and purposes, are likely to result in a high risk to the rights and freedoms of individuals (Art. 35 GDPR). This regulatory framework is designed to enhance individuals' privacy rights and empower them with greater control over their personal information. Compliance with the DPIA requirement is a fundamental aspect of overall GDPR compliance.

With the emergence of the California Consumer Privacy Act (CCPA) in 2019, the privacy law landscape in the US has changed as well. Currently, a total of thirteen US states have passed comprehensive data privacy laws. It's worth noting that not all of these states mandate an equally comprehensive assessment in all situations. For example, the Virginia Consumer Data Protection Act (VCDPA), Connecticut’s Public Act No. 22-15 (commonly known as the “Connecticut Privacy Act” or CTPA), and the Colorado Privacy Act (CPA) have provisions that are less extensive compared to the requirements of the GDPR. Overall, regardless of whether the law dictates a DPIA or not, its implementation should be regarded as best practice for organizations that bear the responsibility of safeguarding a person’s data and personally identifiable information(PII). Completion of a DPIA is a textbook example of a "privacy by design" philosophy because it aligns with the proactive approach inherent in such a design philosophy. "Privacy by design" emphasizes integrating privacy considerations into the development of systems, processes, and technologies from the outset rather than as an afterthought. It facilitates early identification and mitigation of privacy risks, informs decision-making, and ensures ongoing compliance and accountability throughout the development lifecycle.

Over the past two years, our team, along with Castlebridge, have conducted a thorough DPIA, evaluating the potential impact of PrivateStorage´s data processing activities on individuals' privacy. This involved a comprehensive assessment of the technical environment, the consideration of the current state of privacy and data protection laws in the United States and the European Union, along with recommendations for improvements to identified risks. Initially, the DPIA identified three medium risks, three medium-low risks, and four low risks. We are proud to announce that we have eliminated all but four risks, all of which are identified as being in the low risk category and are not reasonably capable of being solved given the current state of security and technical controls available.

Castlebridge, a data strategy, governance, and data protection compliance consultancy, is well known for pragmatic advice on the business of data and recognized internationally for their insights and direct approach.

While the completion of this assessment is a significant accomplishment, we recognize that data protection is an ongoing commitment. Moving forward, we are dedicated to continuously monitoring and enhancing our data protection practices, adapting to evolving regulatory requirements and technological advancements. We thank you for using our service, and we will continue to share updates about our data protection measures.