Data protection Pandora's Box: Get privacy right the first time, or else
"Once something is known, it cannot be unknown." This truism is similar to a data protection concept; once damage or distress is done to an individual, it cannot be undone. It is important to get it right the first time; there are no "do-overs." It is the metaphorical Pandora's box. Once opened, it cannot be closed.
Businesses often look at privacy as a cost rather than a benefit, seeing it as something that "stops" data processing rather than adding value to it. Privacy professionals are often introduced to projects late or post-implementation, reducing their capability to introduce meaningful controls and improve projects.
It's harder to make changes to a system, solution or process that is already implemented, purchased or in operation than to contribute to something during the design and requirements stage. It is better to be "in on the ground floor" with any new projects.
Get your free course catalog
Privacy professional considerations
To be a successful privacy professional, you have to be a "people person" and educate the organization that data protection is a positive force. Doing so will help businesses understand the importance of working with privacy professionals earlier and more effectively.
If you're a privacy professional, you'll need to ask yourself some questions about your personality. Are you a "no" person? Do people avoid you so you won't cancel or slow down their projects? Do you look at data protection principles as a value add to good data management or a legal challenge to success? It is worth a little soul searching and reflection on the image you have created for your colleagues and the cultural perception of data protection.
Common sense privacy principles
I often use the analogy of a car and consider data protection as the brakes — you can view them as a necessary evil, stopping the car and denying its purpose of transit, or you can look at them as something that allows you to travel fast in safety; without good brakes, there is no way to operate at speed.
You could view basic data protection principles as just external legal requirements. Or, in contrast, you could ask, "What sort of organization doesn't want to operate transparently, with accurate information, holding it securely and deleting it when no longer needed? What business doesn't want to efficiently capture and minimize data to be effective?"
Data protection principles offer good, common-sense approaches to information and records management.
Privacy by design
Privacy by design is a field of work that places the individual at the heart of the organization's design process. It brings value to the design process by ensuring data protection controls are added to systems and process requirements as early as possible.
Privacy design principles, separate from data protection principles, were first designed by Ann Cavoukian, the Privacy Commissioner of Ontario, in the 90s. These principles encapsulate privacy by design:
Privacy design principles
- Proactive not reactive; preventive not remedial: Get in early; it's harder to change existing and implemented systems.
- Privacy as the default setting: If the individual does nothing, privacy is protected, things start closed and have to be opened
- Privacy embedded into design: Design features and functionality using the privacy principles during the design of new products, services and processes.
- Full functionality – positive-sum, not zero-sum: Understand that it is not privacy vs. functionality. This is a false dichotomy. Both are possible as a "win-win."
- End-to-end security — full lifecycle protection: Ensure data is protected from collection through to disposal.
- Visibility and transparency — keep it open: Make sure data processing is transparent and the whole lifecycle is documented.
- User-centric: Put the individuals' needs and rights at the heart of what you do. Put the human first.
Privacy design principles coupled with data protection principles such as transparency, data minimization, purpose limitation, collection limitation, security, accuracy and solutions that automate individuals' rights into self-service processes can be powerful tools to design solutions for individuals.
Keeping these principles in mind and educating your staff, IT, engineers and project managers can be a valuable way of embedding and implementing solutions that benefit individuals and society.
Want to learn more about privacy? Check out my privacy courses on Infosec Skills.
- Expert instruction
- Hands-on labs
- Unlimited access
In this Series
- Data protection Pandora's Box: Get privacy right the first time, or else
- Is AI cybersecurity in your policies?
- The top security architect interview questions you need to know
- Federal privacy and cybersecurity enforcement — an overview
- U.S. privacy and cybersecurity laws — an overview
- Common misperceptions about PCI DSS: Let’s dispel a few myths
- How PCI DSS acts as an (informal) insurance policy
- Keeping your team fresh: How to prevent employee burnout
- How foundations of U.S. law apply to information security
- Privacy dos and don'ts: Privacy policies and the right to transparency
- Starr McFarland talks privacy: 5 things to know about the new, online IAPP CIPT learning path
- Data protection vs. data privacy: What’s the difference?
- NIST 800-171: 6 things you need to know about this new learning path
- Working as a data privacy consultant: Cleaning up other people’s mess
- 6 ways that U.S. and EU data privacy laws differ
- Navigating local data privacy standards in a global world
- Building your FedRAMP certification and compliance team
- SOC 3 compliance: Everything your organization needs to know
- SOC 2 compliance: Everything your organization needs to know
- SOC 1 compliance: Everything your organization needs to know
- Overview: Understanding SOC compliance: SOC 1 vs. SOC 2 vs. SOC 3
- How to comply with FCPA regulation – 5 Tips
- ISO 27001 framework: What it is and how to comply
- Why data classification is important for security
- Threat Modeling 101: Getting started with application security threat modeling [2021 update]
- VLAN network segmentation and security- chapter five [updated 2021]
- CCPA vs CalOPPA: Which one applies to you and how to ensure data security compliance
- IT auditing and controls – planning the IT audit [updated 2021]
- Finding security defects early in the SDLC with STRIDE threat modeling [updated 2021]
- Cyber threat analysis [updated 2021]
- Rapid threat model prototyping: Introduction and overview
- Commercial off-the-shelf IoT system solutions: A risk assessment
- A school district's guide for Education Law §2-d compliance
- IT auditing and controls: A look at application controls [updated 2021]
- 6 key elements of a threat model
- Top threat modeling frameworks: STRIDE, OWASP Top 10, MITRE ATT&CK framework and more
- Average IT manager salary in 2021
- Security vs. usability: Pros and cons of risk-based authentication
- Threat modeling: Technical walkthrough and tutorial
- Comparing endpoint security: EPP vs. EDR vs. XDR
- Role and purpose of threat modeling in software development
- 5 changes the CPRA makes to the CCPA that you need to know
- 6 benefits of cyber threat modeling
- What is threat modeling?
- First Safe Harbor, then Privacy Shield: What EU-US data-sharing agreement is next?
- How to make cybersecurity budget cuts without sacrificing security
- How to mitigate security risk in international business environments
- Security theatrics or strategy? Optimizing security budget efficiency and effectiveness
- NY SHIELD Act: Security awareness and training requirements for New York businesses
- Time to update your cybersecurity policy?
- Ultimate guide to international data protection and privacy laws
Management, compliance & auditing
Management, compliance & auditing
The top security architect interview questions you need to know
Management, compliance & auditing
Management, compliance & auditing