Privacy By Design: How Far Have We Come?

Guy Pearce
Author: Guy Pearce, CGEIT, CDPSE
Date Published: 26 July 2021

One can hardly consider any part of the data value chain today – from data acquisition to data archiving or disposal – without considering privacy. For sure, omitting privacy considerations from any link along this chain has the potential to introduce compliance risk. However, much more significant is the certainty of introducing ethics and reputational risk into the organization by omitting these privacy considerations. This is an outcome that can have a significantly more negative impact on the organization than any mere financial penalty for non-compliance ever could.

Two of the major privacy schools of thought are: 1) privacy as a basic human right, and 2) looking at privacy through the lens of what has been termed “in the consumer’s best interest.” Without analyzing the pros and cons of each to the people impacted most here – customers – while the former considers privacy by default and the latter considers privacy through a commercial lens, both are better able to manage privacy risk in the presence of privacy activities by design and by default. As an example, consent management is a modern technology issue that is already complex enough without considering the integration challenges of bolt-on consent management, given current design constraints.

Privacy by Design (and by Default) as a formal paradigm is about 25 years old. However, many encountering it for the first time may be unsure about how to catch up on so many years of privacy technology development since then. ISACA’s new book, “Privacy by Design and Default: A Primer,” is one way to help close this gap in an easily digestible format. The book ticks the boxes for someone looking for pertinent content on the subject in a single source, providing just enough information to serve as an overview of the subject without getting lost in extensive detail. 

In particular, the book introduces topics such as privacy engineering and data flow management, privacy protection (including examples of privacy risk analysis models), privacy management techniques and the relationship between privacy and security, privacy design strategies in a system development lifecycle context, and an introduction to the state of the art of privacy-enhancing technologies decades after the latter phrase was first used. It also provides almost 70 references in the footnotes for further reading. 

One of my favorite chapters is the one on privacy-enhancing technologies (PET). If one is concerned about the way technology monopolies have developed, the never-ending data breaches, and the increasing levels of data exploitation, often without explicit and informed consent with respect to the use of your personal data, then be sure to take a moment to learn what Sir Tim Berners-Lee – the inventor of the internet – is advocating as a means to return power to individuals over their own data. 

Verifiable digital credentials as PETs facilitating the above are the enabling technology that gives individuals the power over their own data. It enables individuals to share only the data they want to share or need to share with an organization for the individual to be able to acquire a service or product. The key, though, is to ensure that the selected verifiable digital credentials vendor is themselves not selling your data to third parties or processing it without your consent. 

Furthermore, with privacy regulations increasingly requiring that data collection is minimized in line with a well-defined purpose, verifiable digital credentials put the power to ensure that this happens in the hands of the individual rather than leaving it to organizations, where levels of trust have been in decline. Indeed, this level of PET was quite probably in the realm of science fiction at the time Dr. Cavoukian first penned the benchmark “Privacy by Design” all those years ago.

Light enough to enable the reader to develop a good picture of the span of the privacy technology landscape in a relatively short timeframe and an easy-to-read format, “Privacy by Design and Default: A Primer” allows the reader to learn about many of the major technological developments in the privacy discipline. It would be a great complement for those thinking of studying toward their CDPSE credential.