Privacy by Design, Right from the Start.
International Data Privacy Day 2020 saw a host of events, conferences, and symposia discussing the emerging trends and issues in the world of data privacy and security. In Toronto, the Privacy & Access Council of Canada (PACC) hosted a privacy/security update session headlined by Dr. Anne Cavoukian, former Information and Privacy Commissioner for Ontario and founder of the Global Privacy by Design Centre of Excellence. Dr. Cavoukian is currently the Distinguished Expert-in-Residence, heading the Privacy by Design Centre of Excellence at Ryerson University, serves as Executive Director of the Privacy and Big Data Institute at Ryerson, and is one of the world’s foremost privacy and security experts. Dr. Cavoukian’s presentation focused on impending changes to Canada’s privacy laws, and how the concept of “privacy by design” is more relevant today than ever.
First, what is, “Privacy by Design”? Put simply, it’s the practice of embedding data privacy and security when developing a product or process, right from the start. Rather than bolting on protections at the end of a design process, care for the privacy and security of data needs to be one of the foundational concerns of any implementation, whether you’re installing a new software application, designing a security system, or handling customer data.
Dr. Cavoukian’s framework for Privacy by Design comprises seven fundamental principles:
- 1. Proactive not Reactive: Preventative not Remedial
- 2. Privacy as the Default Setting
- 3. Privacy Embedded into Design
- 4. Full Functionality: Positive-Sum, not Zero-Sum (Most important in the cybersecurity field)
- 5. End-to-End Security: Full Lifecycle Protection
- 6. Visibility and Transparency: Keep it Open
- 7. Respect for User Privacy: Keep it User-Centric
While all are relevant, the fourth principle is particularly important for us to remember in the cybersecurity field. Indeed, privacy vs. functionality need not be a “zero-sum game”: an ideal privacy by design approach creates an environment where customer experience and confidence can be enriched by strong privacy and security implementation. A win-win or positive-sum outcome is the goal. By considering privacy and security as a feature – as opposed to a limiting factor – we can strive to achieve that positive-sum outcome in designs of security systems. Strong security and privacy controls can become a differentiator in the marketplace (just as weak security can: just ask any of the companies that have made headlines about failing to adequately secure sensitive client data!).
This brings us to the distinction between privacy and secrecy. As Dr. Cavoukian explained, privacy is not simply about hiding data, it’s about providing thoughtful control of data – giving customers the choice about what is collected, and how it is used and distributed. Many businesses find that customers are content to share their personal data as long as they know why it’s being collected, and they are comfortable that their data is being protected, and they know that they can withdraw their consent when appropriate. Dr. Cavoukian favours the term “informational self-determination”[1] to describe the wishes of customers when it comes to their data, as it captures the spirit of user control nicely. When you think of privacy in terms of “control” rather than “secrecy”, it becomes clearer how beneficial a win-win outcome can be.
So why is privacy by design even more important in 2020 than when the concept was born in 1995? The General Data Protection Regulation (GDPR) – the evolving privacy standard in the EU – insists on the concept of “privacy by design” when handling sensitive client data. In fact, the GDPR extends the concept by referring to “data protection by design”, featuring privacy as a default in products and processes. New laws are being enacted based on GDPR, and North American companies doing business with companies in the EU will soon be obliged to observe GDPR principles. Schools are recognizing the importance of spreading the word about privacy by design: Deloitte and Ryerson University have even partnered to offer a Privacy by Design certification program. This is real and it is happening now.
In Canada, changes to the Personal Information and Protection of Personal Information Act (PIPEDA) to reflect more of a “privacy by design” flavour and align PIPEDA with GDPR were proposed by the Office of the Privacy Commissioner of Canada in 2018. While no movement has occurred yet, the federal government announced its plans for a Digital Charter, and released a discussion paper summarizing changes the proposed changes to PIPEDA. Action on these changes may be coming soon: GDPR has an international compliance deadline that arrives in May 2020. Canada has yet to revise its compliance framework to meet GDPR standards, but if the House of Commons can show substantive progress is being made on the strength of the Digital Charter and a new PIPEDA, an extension to the EU deadline may be negotiable. Changes that could affect every Canadian business could be announced within the next few months.
But irrespective of European commerce or official government pronouncements, doesn’t it just make sense for all organizations to make cybersecurity and the protection of client data a priority from day one?
As Dr. Cavoukian put it, “Without strong end-to-end security, you’re not going to have any privacy”. Businesses are reminded that data has been entrusted to them: while they are protecting the data, they do not own it. And headline-grabbing cyber breaches and private data disclosures remind us that an ounce of prevention is worth a pound of cure. Consider the recent LifeLabs data breach: the costs in building in privacy and security by design have been far outweighed by the brand damage and loss of customer trust that have flowed from the cyber attack… not to mention the proposed class action suits in excess of $1.1 billion.
Are you considering a new software implementation, website launch, or security implementation? Have you spoken to your team and your business partners about “privacy by design” concepts and principles, helping to ensure that the information collected and entrusted to you is protected? Have you considered the potential impacts of changes to PIPEDA legislation? The time to act is at the beginning of your projects – not the end!
[1] The term is based on the expression “informationelle Selbstbestimmung”, first cited as part of a German constitutional ruling regarding a data privacy challenge around personal information collected during a national census in 1983