Privacy by Design – Part 3

Companies should implement and maintain data management procedures

FTC suggests that the procedures a company puts in place to safeguard consumers privacy are to be practiced throughout the life cycle of the product or service they sell. The draft mentions training employees on consumer privacy policies and promote the awareness of privacy best practices within the company. Risk assessment programs help organizations to assess the privacy impact of specific practices, products and services while it ensures that they are following effective procedures to mitigate any risks. The size and scope of the programs should be appropriate to the amount of data, sensitivity of data and related risks, therefore, different organizations put in different levels of resources when implementing privacy programs. Some requirements are already defined in government and privacy acts (US).

The draft illustrates this principle with an example. The recent worldwide disclosure of US government information and other sensitive personal data were leaked through the P2P (peer-to-peer) file-sharing networks. This information became available because businesses allowed employees to download and use P2P at the workplace. No security controls were in place and no awareness programs were done. When businesses incorporate privacy and data security policies in their business processes they are mitigating these risks. Typically, after applying security policies, P2P software would be often disallowed or allowed to run a separate machine where no personal or sensitive data is stored. A similar policy would apply not only to P2P software but to any other software or hardware that the employees may install on the company machines and which may expose consumers’ private data.

As the title of this series implies, Privacy by Design implies that even manufacturers of software programs must design products that prevent disclosure of consumer data. If P2P software was designed with secure features than the data leakage case mentioned above would not have happened. We learn from mistakes, for instance Google and Facebook had to alter their privacy practices after launching new products and features. Again, if they developed the new products with privacy in mind they would have avoided all the bad reputation. The draft suggests a thorough privacy review should take at the research and development stages as to aligned products or services with consumer privacy requirements. Systems that assist in maintaining privacy policy include identity management, data tagging tools and the use of TLS/SSL or other encryption technologies.

About The Author

Leave a Comment

Your email address will not be published. Required fields are marked *

This site is protected by reCAPTCHA and the Google Privacy Policy and Terms of Service apply.

Scroll to Top