We are living in an era dominated by technological advances and digital innovation. With respect to data, these advances have paved way for the immense potential of using centralized databases and other related infrastructures to capture, collect, store, mine and share data at an unimaginable pace and size (big data). The data, which was once used or could only be used by the Government, who had the resources, manpower and the need to use it for some specific purposes, is now made available online, increasing its affordability and accessibility to a great extent.
“The Fourth Industrial Revolution, finally, will change not only what we do but also who we are. It will affect our identity and all the issues associated with it: our sense of privacy, our notions of ownership, our consumption patterns, the time we devote to work and leisure, and how we develop our careers, cultivate our skills, meet people, and nurture relationships.” – Klaus Schwab in his book The Fourth Industrial Revolution
In this digital age, all the transactions made by individuals on a daily basis, in a variety of settings are being constantly monitored and recorded – termed as the individual’s “digital footprints”. The recent developments in Information and Communication Technologies have facilitated a more sophisticated way for surveillance and profiling of people and has drastically changed the meaning of what constitutes as private and public information. The digital consumers know at some level that all their online actions, carefree meanderings like browsing, surfing, clicking are being recorded but are not really aware of the after processes like aggregation, analysis (mining of data from different contexts), their capabilities and their implications.
This data, which is captured in different contexts, when aggregated gives a whole new meaning, a detailed personal profile of an individual and a great commercial value. Harnessing the power of recent digital capabilities to enable activities like surveillance and profiling of individuals, we have witnessed a lot of media revelations in the recent years on data scandals, breaches, suits etc., involving some of the world’s biggest brands. Jeffrey Reiman, an author proposes the observation that ‘by accumulating a lot of disparate pieces of public information, you can construct a fairly detailed picture of a person’s private life’. This clearly paints the picture of the concern of privacy in recent times.
In a survey conducted by Deloitte in 2016, 81% of the respondents from the US had pointed out that they feel they have lost control over the way their personal data is being collected and used. As a result, the problem of protecting privacy is in the limelight, and it affects the individuals whose information is being used, the companies who are using that information and also the regulators/policy makers.
Traditional privacy theories are more focused on the relationship between privacy and the personal realm. But in this age of information, where issues like public surveillance are predominant and troubling people, the data that is being used is not from their private realm, but from the so called ‘public realms’ like social networks and data gathered from smart devices. As a result of self-governance exercised by commercial actors, the data which is obtained from the users for a particular use case, is being aggregated and shared to different contexts which involves totally different use cases and different risks associated with them. The existing theories do not efficiently account for the privacy of information about people that are available in the public realm (a theoretical blind spot), which is one of the core challenges faced by today’s data driven society.
One of the recent developments in lines with consumer privacy protection by EU is the GDPR – Global Data Protection Regulations. It insists on obtaining opt-in consent from citizens to collect their data, notify them in case of a potential breach and on the ‘right to be forgotten’ (to erase all personal data upon request by the citizens or if the data is no longer relevant to the orige44inal business purpose). In a few years from now, with rapid digital innovations, it could happen that the information, which is considered to be private presently, could be exposed for others to collect, aggregate, analyse and share. This posits a significant emphasis on the idea of privacy becoming a luxury in the future (as mentioned at the World Economic Forum’s Annual Meeting).
Privacy by Design
‘Privacy by Design’ (PbD) was approved as an International Standard to preserve the future of privacy by the International Data Protection Privacy Commissioners on October 29th, 2010. The GDPR insists organisations to adhere to the practice and principles of Privacy by Design.
PbD was proposed by Dr. Ann Cavoukian who is a former 3-Term Privacy Commissioner of Ontario, and the Founder and CEO of Global Privacy & Security by Design in Ontario, Canada. By adapting the principles of PbD, the organisations are instructed to consider privacy as a fundamental element starting from the initial design stage to the very end, in the technology and all other business processes/services that require access to personal data. This phenomenon points out that privacy is embedded in the design of the system, regardless of the technology and processes surrounding it, which in turn reduces the risk of privacy issues occuring at later stages of implementation or after that.
Dr. Cavoukian and her team had worked with the brightest minds across many of the world’s best brands to better understand the practical feasibility of this design and as a result, it became very evident that while the concept of PbD might seem complex, it is practically feasible and regarded as a doable and an efficient practice, to consider privacy in the initial stages of design rather than considering privacy implications after a system is fully developed.
The 7 Foundational Principles of Privacy by Design
1. Proactive not Reactive; Preventative not Remedial:
We all know and appreciate the saying that “prevention is better than cure”. This saying is very relevant to the context of protecting privacy. The laws and regulations that are in place, are reactive and remedial in nature. They come into play only after a privacy issue has occurred. Hence, the tendency of being proactive and preventative is mandatory in this age of information, to ensure privacy. This means that PbD would anticipate and prevent such incidents before they even happen.
2. Privacy as the Default Setting:
This principle iterates the fact – PbD ensures that privacy is built in the system design by default. The protection of privacy is offered automatically and both the organisations adapting PbD and their consumers can be assured of this fact. This means that there is no need for regulators to do an after check if there is an issue with regards to protecting privacy and there is no need for the customers to be worried about their privacy. There is no need for anyone to ask for it and privacy exists by default.
3. Privacy Embedded into Design:
PbD ensures that privacy is embedded into the design and architecture of the systems and also in all the business processes carried out in an organization. This way, it can be asserted that privacy is built in as a fundamental requirement and not as just another add-on or as a feature that is ‘nice to have’. Thus privacy becomes an integral part of the system, that complements the system’s functionality.
4. Full Functionality — Positive-Sum, not Zero-Sum:
According to this principle, if we take an example of the two functionalities – security and privacy, PbD ensures that both of them can co-exist, positively rise at the same time, without compromising on one another, leading to a positive-sum model – Privacy and Security and not Privacy versus Security. This is the opposite of the ‘zero-sum’ model, which means that the increase of Security, leads to the decrease/compromise in Privacy, the effects of which add up to an undesirable sum of zero. PbD ensures that it is possible to have both the interests at the same time, a real win-win situation.
5. End-to-End Security – Full Lifecycle Protection:
Privacy and Security are not the same and it is not practically possible to ensure privacy without having a strong security practice in place. By embedding privacy into the system design, PbD ensures that the data is protected through the entire lifecycle, from the collection of the very first piece of information till the end of its destruction- a properly secured management of information, from end-to-end.
6. Visibility and Transparency – Keep it Open:
PbD insists that it is essential for organisations to be transparent about their systems, data gathering practices, technology and data usage practices which would help the customers and the other stakeholders of interest to be aware and be confident of their information usage. This way, PbD can help reassure the ownership of data to the data owners and also highlight that the organisations only have the custody and control of the data and that they do not own it.
7. Respect for User Privacy — Keep it User-Centric:
This principle demands organisations to have interest and respect for the customer’s privacy, by establishing practices, processes and operations that are user-centric. By adhering to PbD, the organisations would appreciate the customer’s point of view and this would instill a sense of responsibility in organisations to protect their customer’s privacy.
Thus, Privacy by Design proposes a preventive approach towards protecting privacy, by focusing on early privacy considerations. It promotes a privacy-conscious culture within an organisation from the ground up. It offers scope for improvements in operational efficiencies, reduction of overall costs in an organisation and also strengthens the brand value and the reputation of the organisation. It reassures the users that it is their information, that they still have control over it and that they remain informed of how their personal information is being used. This indicates that they need not worry or raise privacy concerns and they can be confident about their privacy being protected.
Inspired By : Privacy by Design – The 7 Foundational Principles by Ann Cavoukian, Ph.D. (www.privacybydesign.ca).
Nissenbaum, H. (1997) ‘Toward an approach to privacy in public: Challenges of information technology’, Ethics and Behavior, 7(3), pp. 207–219. doi:10.1207/s15327019eb0703_3.
Donal Murray (no date) ‘Privacy by Design’, Deloitte Insights
Val Srinivas, Sam Friedman, Tiffany Ramsay (no date) ‘Reimagining customer privacy
for the digital age Going beyond compliance in financial services’, Deloitte Insights,
Ann Cavoukian’s talk on Privacy by Design.