To efficiently cater to their customers, businesses routinely collect various forms of personal data. Fifty years ago, when companies kept such data in filing cabinets, questions around privacy weren’t complex. However, in today’s Digital Age where personal data can be sent across thousands of miles in a matter of seconds, privacy is a much more pertinent issue than before.
Privacy-by-design is a concept that was first popularized in the 1990s by Ontario’s then information and privacy commissioner, Ann Cavoukian. By 2012, the U.S. Federal Trade Commission started to refer to it as a best practice for privacy. It’s now a key pillar of the EU’s landmark General Data Protection Regulation (GDPR).
Privacy-by-design simply means embedding privacy principles in the building and design of a business, website, application, product, or tool. Whichever way you look at it, ensuring that any capture and use of customer data is done with mutual consent is a good thing for the business in the long-term. Every organization should, therefore, strive to apply privacy-by-design principles.
Ann Cavoukian posited that privacy-by-design must be underpinned by the following seven principles.
Privacy-by-design principles are inherently proactive and preventative. It means anticipating privacy challenges beforehand. It implies creating the procedural and technical framework needed to prevent violations before they can occur. Businesses must apply privacy-by-design with an appreciation of the value they can derive from adopting strong privacy practices consistently and early.
There must be unequivocal commitment to privacy from the very top of the organization. That sets the tone for the rest of the employees. This commitment should exceed the requirements set out in regulations such as the GDPR. The privacy framework should include a means of recognizing weak designs, anticipating poor practices, and correcting negative impacts.
Privacy shouldn’t be an afterthought that organizations take into consideration once they have perfected everything else. Instead, privacy considerations must be in place by default and automatically. That way, even where a user doesn’t make any explicit decisions about the privacy of their data, the enterprise applies privacy-by-design principles unless the users themselves specify otherwise.
For this to happen, the reason for the collection, use, retention, disclosure, and destruction of personal data must be made clear from the outset. Businesses should only capture the personal data they need. Organizations must configure their systems to keep data collection at the minimum. Where they have to collect data, they have to make it, as much as possible, unidentifiable, unobservable, and unlinkable.
Enterprises must integrate privacy into the design and development of technology systems, business procedures, and organization practices. That ensures privacy is a core component of the product’s, process’, or system’s functionality. They must embed privacy in a way that considers the broader context, ropes in all key stakeholders, and re-engineers all existing choices to ensure privacy compliance.
A principle approach to privacy that leverages frameworks and standards and is subject to external audits and reviews ought to be adopted. Conduct detailed assessments that detail the privacy risks and document the measures taken to contain the risks. The privacy strength of the technology, procedures, and policies shouldn’t be easily degraded through error, misconfiguration, or use.
With privacy embedded in the entire organization’s systems and processes before the first piece of personal data is collected, privacy protection must also be extended throughout the life of the data. Establishing strong privacy measures at the start is meaningless if the data will not be subjected to a similar degree of protection up to its retirement and destruction.
There should be no room for privacy gaps from start to finish. For consistency, organizations should assign responsibility for a data set’s protection to a specific individual or department.
It doesn’t serve any organization’s interest to adhere to privacy-by-design principles but not demonstrate that it does so. Perceptions matter and so just complying with privacy standards alone isn’t enough. Regulators and users shouldn’t just trust that you are doing the right thing. Rather, they must have a means of verifying the same.
After all, the personal data in the business’ possession belongs to the product user. The user has by far the highest vested interest in the privacy of their information. Businesses will be more effective in curtailing data abuse and misuse if they give users the power to decide how their data is used.
Whereas the average organization knows and understands the reasons and merits of privacy, many have been less than enthusiastic about implementing privacy-by-design. It’s largely a result of the perception that privacy requirements can be an impediment to creative freedom.
On the contrary, though, a failure to apply and enforce privacy-by-design principles exposes the business to a wide range of risks including data breaches, regulatory censure, lawsuits, and loss of reputation.
Featured image: Pixabay
Setting PowerShell execution policies at the Group Policy level can greatly enhance your organization’s security.…
Ah, the good old days — when Exchange 2010 was king. But with each new…
The GDPR and the CCPA are both aimed at protecting privacy. Although many similarities exist…
Azure DevOps is fast becoming the next big thing. This Azure DevOps Quick Tip shows…
That old messaging platform has served you well, but maybe it’s time to move on.…