Privacy Testing is a relatively new ‘concept’.
Often confused with security testing, few people realise the difference. To understand the difference, you actually need to understand some fundamentals of Data Privacy itself.
When an organization rolls out a privacy program, it is specific only to Personal Data. (or PI/ PII). The privacy program works towards delivering to its data subjects or data principals (the individuals whose personal data it is collecting or processing) some basic privacy principles – which go far beyond securing the data alone (that is anyways expected to be done!). These include telling the individual what data is being collected & processed (not just directly from the individual but from third parties or by observing & tracking the individual online), why (the purpose), getting her consent on the same, letting her access & correct her data as and when required, let her know if her data is being shared with a third party & why, whether it is being sent outside the country, whether she is being tracked and profiled, etc. Hence, when a particular property or asset is being testing for privacy, its activities related to the above become critical.
Security testing does not test for the above scenarios.
Hence Arrka set up its Privacy Lab.
Today, the lab is being used to test properties for compliance with a host of Data Privacy Laws (like GDPR) as well as for Personal Data Discovery as well.
It is also used to do Arrka’s Annual ‘State of Privacy in India’ study in which we test 100 Indian mobile apps and websites.
The Lab focuses currently focuses on two key types of digital properties:
- Mobile Apps
In addition to the above, the Lab also does customised privacy testing for specific infrastructure, applications and assets.