Just as security is being embedded into applications and business processes, privacy must too be intentional to stay compliant with the General Data Protection Regulation (GDPR), what it may change into and any future privacy legislation.
The good news is that privacy has been the new normal for nearly two decades, thanks to the Personal Information Protection and Electronic Documents Act (PIPEDA), and although adhering to Canada’s privacy legislation doesn’t automatically make you GDPR compliant, it’s been a solid foundation for protecting Personally Identifiable Information (PII). If you’ve taken PIPEDA seriously, you’re better prepared for the culture shift your organization needs to stay compliant with GDPR and other regulatory frameworks.
A roadmap for intentional privacy
GDPR provides increased impetus for “privacy by design,” a concept developed in the 1990s by then Information and Privacy Commissioner of Ontario, Ann Cavoukian. Its intent was, and continues to be, to address the ever-growing and systemic effects of information and communication technologies, and of large-scale networked data systems. Just as security has become more intentional as developers create new applications and operating systems, rather than tack it on separately after the fact, privacy by design provides guidelines on how privacy can be thought of first, not as an afterthought.
Cavoukian’s privacy by design has seven foundational principles:
- Proactive not reactive: preventative not remedial
- Privacy as the default setting
- Privacy embedded into design
- Full functionality: positive-sum, not zero-sum
- End-to-end security: full lifecycle protection
- Visibility and transparency: keep it open
- Respect for user privacy: keep it user-centric
It’s recommended these principles be applied with special vigour to sensitive data such as medical information and financial data. The strength of the privacy measures implemented tends to be commensurate with the sensitivity of the data, but ultimately can be applied to all PII.
Applying privacy by design to GDPR
If GDPR requires that your privacy efforts be intentional, then it’s easy to see how Cavoukian’s privacy by design principles can contribute to compliance and help create the culture shift necessary because it means thinking about privacy first.
The first of the seven foundational principles of privacy by design is it’s proactive, not reactive. Just as good security is about being preventative rather remedial, privacy by design aims to prevent infractions from ever occurring—this speaks to the need for employees to think about privacy as they execute their daily tasks.
The second principle builds on that idea: Privacy is the default setting. Privacy by design means PII is automatically protected in any business process or IT system, and an individual’s privacy remains intact without them having to take any action, in alignment with the intent of GDPR. This is further supported by the third principle: Privacy isn’t added later as an afterthought—it’s embedded into the design and architecture of IT systems and business practices.
The fourth principle illustrates how security and privacy must work together: Good security doesn’t have to create barriers. Privacy by design is not meant to be a zero-sum game, it’s about creating “win-win” scenarios by providing full functionality that accommodates all legitimate interests and objectives—privacy can inform security requirements.
Per Cavoukian’s fifth privacy by design principle, security is end to end, protecting data throughout its lifecycle, once again anticipating the new normal that is GDPR compliance.
The goal of privacy by design’s sixth principle is to assure all stakeholders that everything is operating with transparency and can pass third-party verification, no matter the business practice or technology involved. Following this principle would enable an organization to skillfully handle a GDPR audit.
Privacy by design’s final principle also echoes GDPR’s aim to protect the privacy interests of the citizen by emphasizing the importance of the data subject, requiring requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.
The principles of privacy by design illustrate how you can marry security and privacy to include a user-centric perspective. But it’s also a reminder that ensuring privacy isn’t just about deploying new technology, it’s about transforming culture at scale across the organization, which is a big challenge in any organization, regardless of size. To create the culture shift necessary to make both security and privacy intentional, no matter which regulatory framework you’re looking to satisfy, requires more than internal resources led by a GDPR champion.