Friday, November 4, 2016

Privacy By Design - Ready For Takeoff

This blog relates to the technology of privacy (seen metaphorically by many as the elephant in the room). The blog explores privacy stakeholders' many and varied points of view (metaphorically described by this familiar old elephant fable).

Privacy By Design (PbD) was developed by former Ontario, Canada Information & Privacy Commissioner, Dr. Ann Cavoukian in the late 1990s. As a framework of foundational principles for protecting individual consumer's data privacy rights, PbD's promotion of strong privacy defaults, effective notice, and empowerment of user-friendly privacy options has been widely acclaimed by privacy professionals worldwide. Yet it would be wrong to say that the principles of PbD have been aggressively applied in actual practice. Why not? There are a number of real-world reasons:

1. Many organizations still collect consumer personal information based on deemed or implied consent, violating the PbD principle of providing strong privacy defaults.

2. Many organizations still rely solely on long, legalese policy statements for informing consumers of their privacy rights, violating the PbD principles of transparency and visibility.

3. In many cases, the user interface where personal information is collected and managed is designed defensively, violating the PbD principle of designing to keep the user's individual interests and experience uppermost.

4. Many public safety stakeholders hold to the belief that one must choose between privacy and public safety, and that the best interests of consumers and "big data" are inherently incompatible.

In my opinion, the passage of the EU's General Data Protection Regulation (GDPR) in May of this year is already changing this mind set, bringing PbD to top of mind as personal operations are adjusted to comply with new GDPR rules. For example, GDPR Article 7 mandates stronger default consent, Article 12 mandates higher transparency standards, and Article 25 specifically mandates data protection by design and default.

In short, the EU's GDPR initiative has already given PbD new visibility and vigor. Positive-sum change is on the way ... not just to Europe, but across the world.

Parenthetically, Dr. Cavoukian is keeping up with change as well. having recently founded GPS by Design, a follow-on to the PbD initiative, now expanded to a global privacy and security focus. PrivacyCheq supports GPS by Design, and works to promote its acceptance.

GDPR IT Countdown: 18 months still remain for funding, designing, specifying, building, testing, and deploying sanction-avoiding GDPR operations. On your marks, get set ...

Dale Smith, CIPT