Security and Privacy are essential in today’s digital economy.  2014 was a year of large-scale security and privacy breaches, leaving everyone asking themselves how much should we trust companies with our sensitive information.  Currently, there are more than 80 countries with privacy laws.  Violating these laws may result in fines, brand damage, and/or loss of revenue.

January 28th is recognized as Data Privacy Day across the US, Canada and UK.  Data Privacy Day is intended to raise awareness of the importance of respecting privacy, safeguarding data, and enabling trust.

Whether or not you are directly responsible for Privacy, Security and Privacy must work together in order to be effective.  For this article I thought that it would be a good time to discuss the importance of practicing the concept of Privacy by Design.

Privacy by Design is composed of 7 key principles:

  1. Proactive Not Reactive.  We should have policies, procedures, and methods to recognize poor privacy practices and address them before they become an issue.
  2. Privacy as the Default Setting.  This means that personal data should be protected in all information systems by default and not require any intervention from the individual to protect their privacy.
  3. Embedded Privacy.  As we have been focusing on embedding security into the design of our information systems and business practices, we must do the same with privacy.  In addition to doing security risk assessments, privacy impact assessments should be completed as well.
  4. Full Functionality.  This means that privacy should not be a tradeoff when considering full functionality of an application.  Just like security, privacy should not be treated as a zero sum game.
  5. End-to-End Security, also known as Full Life Cycle Protection.  This life cycle includes the following elements; collection, use, disclosure, storage & destruction.

    Collection means that we should only collect the minimum necessary information.  Use refers to using that personal information only in the manner that it was intended to be used.  How that data will be used should also be clearly disclosed to the individual.

    This must also be done in accordance with the appropriate country’s law.  For example, in the European Union (EU) you must explicitly consent to having your personal information used for a specific marketing purpose.  Disclosure focuses on ensuring only people that have a business need are authorized to view that data.  Storage and destruction focus on having appropriate security controls for storing sensitive data and when that personal data is no longer required having a secure means of disposing/erasing that data.  This also includes not retaining personal data any longer than required for its intended use.

  6. Visibility and Transparency.  The focus here is on accountability and trust.  The end user should be clearly informed on how their personal data will be used.  In addition, the organization must have clear privacy policies, procedures, and someone accountable for ensuring adherence to them.
  7. Respect for User Privacy.  This means keeping the interest of the individual providing the personal data at the forefront.  This includes having a clear means of obtaining consent, except as otherwise permitted by law.  Accuracy of the data, access to what information is being retained about them, and a means of ensuring compliance must also be publicly communicated.

This article was intended as a primer and if you would like more information, please look at the following resources: https://privacyassociation.org and http://www.staysafeonline.org/data-privacy-day/about.

Category: CISO Insights

Leave a Reply