The Principles of Privacy by Design
Establishing a privacy program isn’t just about big, splashy moves you make in public. It’s the cascading effect of ten thousand engineering, policy and contract decisions you make every day when no one is looking. -Brandi Bennett, Data Privacy and Technology Attorney
On the Privaci Learning blog, we often discuss the complexities of privacy regulations including the European Union’s General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA). Within this essay, we will discuss how privacy is good for business when it is embedded throughout the entire infrastructure of a company or organization.
In the 1990s, Dr. Ann Cavoukian, a former Information and Privacy Commissioner of Canada, created the concept of Privacy by Design. Through Privacy by Design, comprehensive privacy mechanisms are embedded within a product, process, or system from the inception of its development . Dr. Cavoukian also created the Privacy by Design framework, which includes seven principles:
· Proactive not reactive- Privacy programs should be proactive rather than reactive. Anticipate and prevent privacy breaches before the events happen.
· Privacy as the default setting- Ensuring personal data are automatically protected in any given IT system so that no action is required on the part of the individual user.
· Privacy embedded into design- Privacy is an essential component of the core functionality being delivered. Privacy is not an add-on feature after the fact. It is woven into the product’s architecture from inception.
· Full functionality- No privacy vs. security scenarios or any other unnecessary trade offs within the system. Privacy will be accommodated in a positive sum manner and is not diminished to fulfill other interests.
· End to end security- Full lifecycle protection. Ensured cradle to grave secure lifecycle management of information.
· Visibility and transparency- Operations remain visible and transparent to users and providers.
· Respect for user privacy- Including measures such as strong privacy defaults, appropriate notice and empowering user friendly options.
Ahead of her time, Dr. Cavoukian finally saw her privacy by design framework included in the European Union’s General Data Protection Regulation (GDPR), which took effect on May 25, 2018. In summary, the GDPR states:
· Privacy mechanisms should be built into a product as a default
· Personal data collection should be minimized
· Personal data must be kept secure
· Personal data must be destroyed when it is no longer needed
· Personal data must be collected with transparency
· No zero sum trade-offs. Privacy must be accommodated in a positive sum manner
The GDPR defined the global path forward for privacy. Countries and states throughout the world followed suit by enacting their own privacy regulations, which also include Privacy by Design concepts. In response, companies and organizations are rushing to catch up, hiring privacy professionals and enhancing their privacy programs in order to achieve regulatory compliance.
In addition to meeting compliance requirements and avoiding hefty penalties, companies also want to be in the good graces of consumers who are demanding more privacy protections. According to Bart Williemsen, who is Vice President of Research at Gartner, privacy is becoming a reason for consumers to purchase a product:
· By 2023, organizations embedding privacy user experience into customer experience will enjoy greater trustworthiness and up to 20% more digital revenue than those that do not. Consumers want to know how their personal data is used and they are more trusting of companies that are transparent about data usage. Once customers trust an organization, they are more likely to be loyal, to recommend that company, and to buy more products and services.
· By 2023, over 20% of organizations will use a data risk assessment (DRA) to identify and manage appropriate privacy controls, despite a lack of guidance from regulators on how to implement it. The results of a DRA will help determine the success of existing data security controls and identify any gaps or inconsistencies that need further engineering. Organizations face a changing world filled with an ever-increasing amount of data, which can lead to huge business opportunities when that data is properly used to develop or enhance products and services.
· By year-end 2025, multiple Internet of Behaviors (IoB) systems will elevate the risk of unintended consequences, potentially affecting over half of the world’s population. An IoB system combines and analyzes multiple sources of intelligence, such as commercial customer data, publicly available citizen data, social media, facial recognition and location tracking with an intention to influence customer behavior. As an IoB grows at scale, security leaders must ensure stability and consistency. They must also establish a framework for privacy, security, ethics and interconnectivity that all connected entities must subscribe to, further reducing the risk of unintended consequences.
If you would like to learn more about how to embed privacy throughout your organization, visit the Privaci Learning website (www.privacilearning.com) and the Privaci Learning online course program at Udemy, which includes How to Build a Privacy Program for Your Organization and The Main Components to Include in Your Privacy Program.
After completing Privaci Learning’s introductory courses you will know:
· The importance of a privacy program
· The building blocks for a privacy program
· The role of a privacy program manager
· The role of stakeholders
· The main components of a privacy program
· Why these program components are important
For more advanced coursework in privacy, read more about Privaci Learning’s additional online courses including GDPR Compliance: The Key Components, GDPR Data Processing Agreement Requirements Simplified and Lei Geral de Proteção de Dados(LGPD) 101-The Key Components .
