Dr Ann Cavoukian, Information and Privacy Commissioner of Ontario and developer of the concept of ‘Privacy by Design,’ states that: “Privacy by Design is a concept I developed back in the 90’s, to address the ever-growing and systemic effects of Information and Communication Technologies, and of large-scale networked data systems.”She further goes on to say that “Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.”
The onus of privacy protection falls on service and technology providers instead of their users. Organizations and businesses should ensure that privacy is considered at the very start of the process when the product or service is being built as opposed to implementing data protection or privacy measures after it has already been in use. This ensures the anticipation of any privacy risks that may materialize from the onset and ultimately reduces the risk of any future potential data breaches.
A brief background into the concept ‘Privacy by Design‘
‘Privacy by Design’ entails the protection of data through design and technology. It was coined during the early 1970’s and has gained recent exposure due to the enactment of Article 25 of the General Data Protection Regulation (GDPR) that forms a basis for the concept. However, the GDPR refers to it as ‘data protection by design and by default.’ The GDPR explicitly mentions that Privacy by Design is an essential requirement to ensure compliance with the protection of data subjects rights. Apart from the GDPR, various laws have been enacted internationally that govern how data is to be processed and collected to ensure personal data is protected. Organizations and businesses must start to implement technical and organizational measures at the earliest possible stage of the design and building process to ensure that privacy is safeguarded, and data is protected. This way, the protection of privacy is prioritized as part of the development process and not after it has been completed. Privacy is not ensured by merely complying with regulatory structures or legislation and is by no means a mere tick-box exercise.
Key objectives to consider in Privacy by Design:
In addition to the evolution of the concept ‘Privacy by Design,’ Cavoukian developed seven foundational principles into the design, operation, and organization of a specified system, business process, or design specification in order to successfully achieve Privacy by Design. These seven principles are:
- Proactive not reactive; preventative not remedial: Privacy by Design should be implemented before any risks occur and not after. It aims to prevent data risks from happening rather than resolving them after they have already occurred.
- Privacy as the default setting: Privacy by Design seeks to ensure that data subjects’ personal data is given automatic protection in a business practice or within any IT system. The protection must by default be embedded and built into the system in order to ensure the highest surety of data protection.
- Privacy embedded into design: Privacy by Design is considered and embedded at the very onset into both the development and design of IT systems and business processes rather than being considered after the technology has been built. This ensures that privacy forms an integral part of the development process.
- Full functionality – positive-sum, not zero-sum: Data subjects’ privacy rights should always be considered, especially during the development of new technology. The functionality thereof should not mitigate the main purpose, that is data protection.
- End-to-end security – full lifecycle protection: Security measures that ensure privacy and data protection must last a full cycle. From the beginning when the privacy is being embedded, processed, and controlled, up until the end when data needs to be securely destroyed.
- Visibility and transparency – keep it open: Privacy by Design seeks to ensure that data subjects understand the various ways their privacy is protected through the visibility and transparency Privacy by Design advocates.
- Respect for user privacy – keep it user-centric: The data subject should be able to use the technology with ease. Privacy by Design seeks to keep the individual’s interests and needs met by proposing strong measures such as privacy defaults, appropriate notice, and empowering user-friendly options.
Privacy by Design framework
Privacy by Design is a regulatory framework based on embedding privacy into both the design and operational aspects of business practices, IT systems, and networked infrastructure. The seven foundational principles explained above are essential for achieving the concept of Privacy by Design.
Organizations that implement these principles will gain a useful benefit. Great responsibility is placed on organizations and businesses to ensure that their technological systems are well-secured, protected, and developed by incorporating the element of privacy at the very beginning of the process rather than as an afterthought. Whilst organizations are liable to invent and protect the personal data of their users, they face a challenge in respect of large quantities of data for various reasons. Users feel the need to share information more willingly, this has promoted a high-level risk environment, exposing organizations to a much larger risk of potential privacy security breaches. Organizational boundaries are no longer stable.
This creates difficulty in tracking how, where, and by whom information is being collected, processed, and managed. Social networking tools give the assurance of new possibilities but also come with potentially serious exposures if not managed correctly. Cavoukian elaborates by saying “Protecting privacy while meeting the regulatory requirements for data protection around the world is becoming an increasingly challenging task. Taking a comprehensive, properly implemented risk-based approach— where globally defined risks are anticipated and countermeasures are built into systems and operations, by design—can be far more effective, and more likely to respond to the broad range of requirements in multiple jurisdictions.”
The link between Privacy by Design and cybersecurity
Almost all organizations, businesses, and individuals rely on electronic devices to store data. Whilst Privacy by Design encompasses the protection of data through design and technology, cybersecurity focuses on protecting the IT mechanisms against any internal or external cyberattacks that may arise. This can include creating cloud security, network security, and application security. Cloud security delivers services such as software, hardware, and storage. It protects cloud data, applications, and infrastructure from any potential cyber threats. Network security entails virus software, firewalls, and VPN encryption, which ensures that the network is well-secured and protected from any threats and breaches. Application security seeks to find, fix, and prevent security vulnerabilities. This way organizations and businesses can reduce the risk of potential security exposures in their own software or within third-party components used as part of the application. Privacy by Design and cybersecurity are interconnected. The collecting, processing, and storing of personal information/data heavily relies on an effective cyber secure space implemented by organizations. On the one hand, you have a concept that prioritizes privacy at the very beginning of the development process. Emphasis is placed on the design and technology being built that must consider privacy at the onset. On the other, you have to identify and reduce the potential risks or threats to an organization or business. It extends beyond ensuring privacy by identifying any potential cyber threats that an organization or business is susceptible to and developing methods to ensure the risk is reduced or entirely eliminated. Both these concepts promote risk management.
Although various laws have been enacted internationally that require organizations and businesses to comply with data privacy and protection. This, however, does not mean that organizations or businesses are well-secured. Compliance is merely a foundation and solely relying on it does not ensure the level of security a business or organization needs. By interacting with effective risk management models and identifying areas within an organization or business that requires additional security will be most beneficial. Risk management coincides with compliance requirements. Many companies and organizations need to make sure that maximum security is not ensured by adhering to what the law says but rather using the laws as a stepping stone and adding on to the foundation in order to ultimately ensure and build a secure space.
Most data protection laws do not yet incorporate the concept of Privacy by Design; however, it is promoted as one of the most proposed practices for protecting online privacy. In an era of constant technological advancements, businesses must prioritize Privacy by Design and cybersecurity in their operations sooner rather than later. This will not only ensure maximum security but will also guarantee that trust is created between organizations, businesses, and their respective clients. It is imperative for businesses to recognize that prevention is better than cure and that various measures must be taken in order to safeguard privacy and comply with evolving legal requirements. As Cavoukian stated “People often approach security and privacy in a zero-sum manner. You can only have a positive gain in one area, always at the loss of the other. This either-or, win-lose, zero-sum model is so dated. Throw it out the window. Yes, the term privacy assumes a much broader set of protections than security alone. But if you don’t have a strong foundation of security from end to end with full lifecycle protection in this day and age of daily hacks, you’re not going to have any privacy.”
PR de Wet Partner
prdw@vdt.co.za
Mishka Cassim Candidate Attorney
mishkac@vdt.co.za
VDT Attorneys Inc., Pretoria