Shining a light on privacy by design.
On April 6, 2022, the U.S. government announced that it had secretly removed malware from organizations around the world to preemptively prevent a Russia-backed cyberattack. It was just the latest move by the Biden administration to protect critical infrastructure, as well as business and government operations, against cyber spillover from the military conflict in Ukraine.
However, it doesn’t take a cyberwar to cause a data breach, as news headlines regularly attest. Any individual’s data is at risk of being exposed. As only one recent example, in mid-2021 a hack of a major telecom provider leaked records of nearly 8 million customers – plus another 40 million noncustomers.
These events are reminders of how globally interconnected our networks, supply chains and daily lives have become. More than one-half of the world’s population – approximately 4 billion people – own a smartphone. Individuals and businesses generate an estimated 97 trillion gigabytes of data a year. In this Data Economy, social media content, personal fitness stats, web searches and more can be captured, shared, sold – and hacked – at a dizzying pace. It’s no wonder people feel they have less and less control over what happens to their information. Organizations need to respond. Privacy must become a priority for all enterprises and agencies. First among them are providers of technology solutions and services. In particular, these organizations must embrace the concept of “privacy by design.”
Data privacy accelerators
Privacy issues revolve around personal data or personal identifiable information (PII). Definitions of PII vary, but in general it refers to any data that permits the identity of an individual to be directly or indirectly determined. That could include name, location, IP addresses, medical details, financial or other account data, government identifiers (e.g. driver’s license, social security number), and biometrics. Beyond geopolitics and the ever-growing scourge of cybercrime, a number of factors are escalating the need for stronger privacy:
U.S. regulations
The United States lacks a comprehensive, federal-level privacy law. Instead, the federal government of the United States takes a sectoral approach, with laws directed to specific industries, from the Health Insurance Portability and Accountability Act (HIPAA) to the Fair Credit Reporting Act (FCRA), to address aspects of privacy. But California, Colorado, Virginia, and Utah have enacted comprehensive state-level privacy laws, and several other states have privacy laws in committee.
EU regulations
The General Data Protection Regulation (GDPR) is the world’s most prominent privacy law, granting individuals significant rights and control over their PII. Most notably, it restricts transfer of personal data about Europeans to destinations outside the EU, unless a valid international transfer mechanism is in place.
COVID-19
The COVID-19 pandemic raised the stakes on cybersecurity and, by extension, privacy when it transformed how organizations function. Businesses suddenly had to field a remote workforce, connected through dispersed endpoints and cloud applications. They also required new, digitally enabled ways of interacting with customers. Enterprises now need more effective means of securing their perimeters, reducing their attack surfaces, and preventing data loss.
Customer demands
Cyberattacks, regulations and a global pandemic aside, a primary driver of stronger privacy is simple: customer demands. In a recent KPMG survey, 86% of respondents said data privacy is a growing concern, and 68% said they’re concerned about the level of data being collected by businesses. Customers want to know who has their information, how they’re using it, whom they’re sharing it with, where it’s stored, where it flows to, and how it’s being protected. Enterprises that fail to recognize the importance of, and respond to, these concerns risk losing business to those that do.
Key qualities of strong privacy by design
To better ensure privacy and retain customer trust, providers of digital solutions and services must embrace privacy by design. Privacy by design calls for privacy to be considered in every aspect and phase of a company’s operations, solution design, and engineering. The goal is to make strong privacy a corporate priority and ensure it is the default position in any operations, technology, product, or practice, allowing an organization to make privacy efforts proactive rather than reactive. A key reason privacy by design must be central to digital solutions and services is that these products typically process personal data of employees and customers. That could be HR data in a central ERP system or customer information in a CRM system. For cybersecurity solutions, it could involve employee behavior monitoring to look for anomalous network usage. But it can even show up in places we might not immediately consider, like customer PII flowing through a coffee retailer’s WiFi network.
When assessing a high-tech provider’s privacy-by-design maturity, look for these qualities:
Privacy impact assessments
Privacy by design begins with a thorough privacy assessment to identify potential cybersecurity issues as well as what personal data might be gathered and how it will be handled, protected, and stored. Choices should be made at the outset of application development or onboarding of a provider about which data is needed for the product to function effectively. No personal data should be captured or provided to a third party that isn’t absolutely necessary.
Data anonymization
Data anonymization is a form of data sanitation that removes PII from a dataset so that any individual associated with it is obfuscated. That can be achieved in a number of ways, but in general it means replacing personal data with a random number in such a way that the dataset can’t be de-anonymized. The data is completely de-associated from individuals, and there’s no achievable way of ever re-associating it.
Pseudo-anonymization
There are situations when anonymization isn’t possible to fulfill the organization’s needs or is an effective approach, such as when monitoring network traffic for anomalous behavior. In these cases, pseudo-anonymization offers a solution. A cybersecurity provider processing PII on a client’s behalf, for instance, can use encryption to de-associate data from individuals but allow the client to hold a cypher key to re-associate the data if necessary. An effective solution would enable the client to custom-configure the service to conform to privacy laws in various jurisdictions. It’s worth noting that pseudo-anonymization is highly recommended within the GDPR and the European Data Protection Board’s Recommendations on Supplementary Measures as an appropriate data management technique.
Data governance
Privacy by design dictates that digital solutions distinguish between the data processor – the vendor providing the software or service – and the data controller – the enterprise or individual who owns the data. Whenever possible, digital solutions should allow data owners to retain full control and manage their own data in their own environment, encrypting or otherwise restricting access to maintain the highest level of privacy.
Proof of privacy
Digital solutions should also provide means of demonstrating that they enable the customer to implement privacy controls. This can involve business rules that limit the number of administrators who have access to data or that establish a super-administrator who has control over admin rights, such as who has permission to unmask pseudo-anonymized data. Processes and partners – Privacy by design doesn’t just involve application development and engineering. The approach is effective only if privacy concepts and controls are baked into the organization’s business-wide practices and processes. Every line of business must adopt a privacy mindset to ensure that all aspects of the business are geared to preserving privacy. Likewise, privacy expectations must extend to the provider’s contractors, suppliers, and partners.
Privacy as a industry mindset
Ultimately, the approaches and actions that achieve strong privacy won’t be achieved by any one organization alone. Rather, effective privacy requires the commitment from all organizations, especially providers of digital products and services, in an ecosystem of data privacy. In this way, privacy by design will become less a product or vendor feature and more an industry mindset and methodology.