Management, compliance & auditing

Data protection Pandora’s Box: Get privacy right the first time, or else

April 22, 2022 by Ralph O'Brien

“Once something is known, it cannot be unknown.” This truism is similar to a data protection concept; once damage or distress is done to an individual, it cannot be undone. It is important to get it right the first time; there are no “do-overs.” It is the metaphorical Pandora’s box. Once opened, it cannot be closed.

Businesses often look at privacy as a cost rather than a benefit, seeing it as something that “stops” data processing rather than adding value to it. Privacy professionals are often introduced to projects late or post-implementation, reducing their capability to introduce meaningful controls and improve projects. 

It’s harder to make changes to a system, solution or process that is already implemented, purchased or in operation than to contribute to something during the design and requirements stage. It is better to be “in on the ground floor” with any new projects.

Privacy professional considerations

To be a successful privacy professional, you have to be a “people person” and educate the organization that data protection is a positive force. Doing so will help businesses understand the importance of working with privacy professionals earlier and more effectively. 

If you’re a privacy professional, you’ll need to ask yourself some questions about your personality. Are you a “no” person? Do people avoid you so you won’t cancel or slow down their projects? Do you look at data protection principles as a value add to good data management or a legal challenge to success? It is worth a little soul searching and reflection on the image you have created for your colleagues and the cultural perception of data protection. 

Common sense privacy principles 

I often use the analogy of a car and consider data protection as the brakes — you can view them as a necessary evil, stopping the car and denying its purpose of transit, or you can look at them as something that allows you to travel fast in safety; without good brakes, there is no way to operate at speed. 

You could view basic data protection principles as just external legal requirements. Or, in contrast, you could ask, “What sort of organization doesn’t want to operate transparently, with accurate information, holding it securely and deleting it when no longer needed? What business doesn’t want to efficiently capture and minimize data to be effective?”  

Data protection principles offer good, common-sense approaches to information and records management.

Privacy by design

Privacy by design is a field of work that places the individual at the heart of the organization’s design process. It brings value to the design process by ensuring data protection controls are added to systems and process requirements as early as possible.

Privacy design principles, separate from data protection principles, were first designed by Ann Cavoukian, the Privacy Commissioner of Ontario, in the 90s. These principles encapsulate privacy by design:

Privacy design principles

  • Proactive not reactive; preventive not remedial: Get in early; it’s harder to change existing and implemented systems.
  • Privacy as the default setting: If the individual does nothing, privacy is protected, things start closed and have to be opened
  • Privacy embedded into design: Design features and functionality using the privacy principles during the design of new products, services and processes.
  • Full functionality – positive-sum, not zero-sum: Understand that it is not privacy vs. functionality. This is a false dichotomy. Both are possible as a “win-win.”
  • End-to-end security — full lifecycle protection: Ensure data is protected from collection through to disposal.
  • Visibility and transparency — keep it open: Make sure data processing is transparent and the whole lifecycle is documented.
  • User-centric: Put the individuals’ needs and rights at the heart of what you do. Put the human first.

Privacy design principles coupled with data protection principles such as transparency, data minimization, purpose limitation, collection limitation, security, accuracy and solutions that automate individuals’ rights into self-service processes can be powerful tools to design solutions for individuals.

Keeping these principles in mind and educating your staff, IT, engineers and project managers can be a valuable way of embedding and implementing solutions that benefit individuals and society.

Want to learn more about privacy? Check out my privacy courses on Infosec Skills.

 

Posted: April 22, 2022
Author
Ralph O'Brien
View Profile

Ralph is a trusted advisor on global privacy and security compliance, practices and management. His experience includes strategic GDPR adoption programs, advisory services and assurance delivery in global multinational environments. He has worked in various industry sectors, including defense, public sector, pharma and financial services, representing multinational corporations and boutique specialist consultancies. He continues to be a hands-on practitioner, combining business-level consultancy with training and technical experience. He was responsible for the first global joint 27001/25999 management system to be certified. With a focus on business processes, information protection, and an ethos of management assurance, risk management and knowledge transfer, he ensures effective protection of assets appropriate to the client's business needs.

Leave a Reply

Your email address will not be published.