Bryta Schulz, Vice President of Marketing at Customer Identity and Access Management (CIAM) company Janrain, writes, why it is imperative for multinational brands to adopt privacy by design principles beyond complying with GDPR
In 2005, Microsoft identity and access architect Kim Cameron published a vision for an architecture that would “give Internet users a deep sense of safety, privacy and certainty about whom they are relating to in cyberspace,” in his white paper “7 Laws of Identity.” Cameron added, “Nothing could be more essential if Web-based services and applications are to continue to…encompass all kinds of interaction and services.” A few years later, Cameron’s white paper inspired Ann Cavoukian, then the Information and Privacy Commissioner of Ontario, to publish her seminal white paper “Privacy by Design: The 7 Foundational Principles,” which put forth a framework for embedding privacy “into every [digital] standard, protocol and process that touches our lives.”
With GDPR now live, Privacy by Design (PbD) has taken center stage, as the landmark 99-article legislation requires companies serving EU residents to adhere to its principles. PbD’s journey from being a niche obsession of techies to a foundational element of arguably the most-discussed privacy regulation in history contains valuable lessons about why brands need to incorporate privacy into every digital product or service of theirs that touches the consumer, not just for GDPR-compliance purposes but to provide a great customer experience and mitigate against breaches and cyber attacks as best as a company can in today’s times.
PbD Is Good Customer Service
Customers are growing increasingly aware of how their personally identifiable information (PII) is being collected and used, and some experts are even going as far as to call for users to be paid for their data. PbD’s principles can show organizations how to treat PII like the precious asset it represents. Years ago, Cavoukian urged companies to take proactive, preventative measures around privacy. “PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred—it aims to prevent them from occurring,” she wrote.
Cavoukian was the first to formally espouse the practice of disclosing the exact reasons for collecting, using and retaining an individual’s personal information, and limiting collection of data only “to that which is necessary for the specified purposes.” She also laid the groundwork for other GDPR staples, such as gaining explicit consent to use personal data, data portability, clear privacy terms and dashboards displaying all consented uses and disclosures.
If the recent revelation that consulting firm Cambridge Analytica harvested the details of 87 million Facebook users from an app that received only 270,000 explicit consents illustrated anything, it’s that it is a massive understatement to say that consumers are unclear about how their data is being used and shared behind the scenes—and they are understandably angry about this. Furthermore, this incident tuned end users into Facebook’s inaccessible and hard-to-navigate privacy settings, and if brands don’t notice the growing crescendo against such practices, they will pay a dear price in the end.
PbD Is Inherently a Security Issue
This concept of “data minimization,” the practice of taking only the data needed for a specific consented purpose, also has security implications. Security breaches are a fact of life, and even the most conscientious companies can’t completely guard against data being compromised by an external party. Thus, it makes sense not to transfer PII if the circumstances don’t require it. Why give away the store when you only need to sell a carton of milk? The fallout from the Cambridge Analytica situation would have been contained had the developer of the “ThisIsYourDigitalLife” app, from whom Cambridge Analytica obtained the Facebook data, only had access to parts of digital profiles needed for the customer experience rather than entire identities.
In addition, PbD explicitly calls for companies to take measures such as “secure destruction, appropriate encryption and strong access control and logging methods” to secure PII throughout its entire lifecycle, “generally commensurate with the degree of sensitivity” of that data. In other words, the more sensitive the personal information, the more you must do to keep it safe. This sounds like common sense, doesn’t it? So why should it take legislation to get organizations to act accordingly?
PbD Should Be Fundamental
If organizations need any additional incentive to spend the money to instill PbD into all facets of their operation, they may want to heed the hard lessons learned by many American auto manufacturers in the late 20th century. In the 1970s, these car companies didn’t prioritize energy efficiency in their manufacturing processes. A decade later, these automakers found themselves at a disadvantage vis-a-vis competitors that built fuel economy into their design from the start.
Similarly, companies that now need to bolt PbD onto products and services that weren’t conceived with its principles in mind will encounter tremendous cost and hassle. If PbD isn’t on the C-suite’s radar now, it won’t be long until bottom-line pressure from regulators or market forces gets its attention. But, take a closer look at the original PbD principles, and it will be pretty clear that it shouldn’t take GDPR to get companies to re-architect solutions and processes to bake it in in the first place.