Over the last decade, data became a new currency for organizations trying to get ahead and gain a competitive advantage. Data is the driving force behind industrial behemoths like Amazon, Netflix, Tesla, and others. However, with these recent developments, how do organizations balance the need for data to become more profitable and the right to privacy? In that context, multiple questions come to mind to which there is yet a distinctive answer despite multiple and growing attempts by regulators (EU’s General Data Protection Regulation – GDPR, Canada’s Personal Information Protection and Electronic Documents Act – PIPEDA, etc.) to introduce and enforce more rules for personal data breaches. Moreover, as consumers, we now expect seamless digital services and online experience, while at the same time expect our personal data to be protected and often times not used against us in a covert manner to up-sell, cross-sell, or be shared with affiliates. While compelling, the question becomes whether this is a realistic expectation in 2020. 

Improving data security or more specifically, private data security, relies mostly on two strategies. First and foremost would be improving the organization’s security posture, such as reducing cyber-attack exposed surfaces, improving employee’s literacy on cyber awareness and phishing, and collecting only the minimal required Personal Identifiable Information (PII) from customers. The second pillar to that strategy, and arguably the more complicated one, relies on improving data management techniques. Growing awareness to privacy concerns and loss prevention of customer’s private data is relatively recent. PIPEDA in Canada was passed in 2000, and came into effect in 2004. GDPR in the European Union, arguably a more complete, enforceable and coherent framework, was passed in 2016 and came into effect in 2018. GDPR kick started an avalanche of organizations looking to overhaul their data management practices to protect themselves against the hefty fines set by GDPR. 

Organizations have been storing and collecting data, including private data, about customer’s behaviours long before privacy laws came into effect or gained meaningful enforcement mechanisms. For long periods of time data (including PII data) was neglected and not protected by many organizations, which in turn, now find it very complicated to untangle that history of neglect. Improving data management requires enhancements to: 

• Metadata Management – To distinguish sensitive data from non-sensitive data;
• Data Cataloguing – To properly identify and classify systems and repositories that collect and/or store data;
• Data Governance – To ensure issues are being remediated when found in IT Architecture; and
• Principles – To introduce data masking, row level security, encryption of data repositories.

Before the introduction of GDPR, these were unpopular activities with undefined return-on-investment, high complexity, lack of quick and tangible wins and mostly no apparent business case. Since GDPR introduced heavy fines on a per-row (customer) basis, many companies started to implement risk mitigation strategies to improve their legacy systems data management practices. It is important to remember that data monetization is not the opposite of data security. On the contrary, many leading businesses that introduce modern data security postures such as privacy-by-design, open-by-default-closed-by-exception are leaders in monetizing their data. 

Privacy by Design 

In this complex electronic business environment, a “check the box” compliance model leads to a false sense of security. That is why a risk-based approach to identifying digital vulnerabilities and closing privacy gaps becomes a necessity. Once you have done the work to proactively ensure that your controls are implemented and your information is secure, having the privacy practices verified against a global privacy standard can take the organization’s privacy and security posture to the next level. Privacy by Design means building privacy into the design, operation, and management of a given system, business process, or design specification; it is based on adherence with the 7 Foundational Principles of Privacy by Design: 

Proactive not reactive—preventative not remedial. Anticipate, identify, and prevent invasive events before they happen; this means taking action before the fact, not afterward; 

Lead with privacy as the default setting. Ensure personal data is automatically protected in all IT systems or business practices, with no added action required by any individual; 

Embed privacy into design. Privacy measures should not be add-ons, but fully integrated components of the system; 

Retain full functionality (positive-sum, not zero-sum). Employs a “win-win” approach to all legitimate system design goals; that is, both privacy and security are important, and no unnecessary trade-offs need to be made to achieve both; 

Ensure end-to-end security. Data lifecycle security means all data should be securely retained as needed and destroyed when no longer needed; 

Maintain visibility and transparency—keep it open. Assure stakeholders that business practices and technologies are operating according to objectives and subject to independent verification; 

Respect user privacy—keep it user-centric. Keep things user-centric; individual privacy interests must be supported by strong privacy defaults, appropriate notice, and user-friendly options. Dr. Ann Cavoukian, Executive Director of the Privacy and Big Data Institute at Ryerson University, Three-term Information and Privacy Commissioner of Ontario is concisely summarizing the topic: 

“Protecting privacy while meeting the regulatory requirements for data protection around the world is becoming an increasingly challenging task. Taking a comprehensive, properly implemented risk-based approach where globally defined risks are anticipated and countermeasures are built into systems and operations, by design can be far more effective, and more likely to respond to the broad range of requirements in multiple jurisdictions.”