“Privacy by Design” is quickly becoming the standard for organizations small and large around the world, and its widespread adoption couldn’t come at a better time. In the last few years, concern for privacy has reached an all-time high, with 90% of people worried about how their data is shared or used.
So, we recently invited Dr. Ann Cavoukian, author of the Privacy by Design framework and one of the world’s leading privacy experts, to enlighten Zebra Nation about the intersection of cybersecurity and individual privacy in terms of corporate and government responsibility. The conversation, moderated by one of the world’s top Chief Information Security Officers (CISOs) and best-selling cybersecurity guide author Todd Fitzgerald, was so beneficial I decided to share key excerpts with you.
So, if you’re looking for the latest guidance on how to secure your organization’s sensitive data, protect the interests of all stakeholders, and build trust in your brand, be sure to read all the way to the end:
Todd: First off, why is privacy so important?
Ann: People need to be able to preserve control over their personal information.
Todd: Ann, is that why you created the Privacy by Design framework?
Ann: Right after I graduated from college, I was invited to work at the Attorney General’s Office in Ontario on a one-year contract. The entire purpose of my role was to introduce the lawyers to the concept of privacy and convince them of its value. Obviously, privacy law is very important to rectify data breaches and privacy infractions. But privacy law is only invoked after the harm already done. I explained to them that I wanted to change the paradigm – that instead of leaning into a remedy model, I wanted to create a model of prevention. Wouldn’t that be better?!
So, I sat down at my kitchen table and, over three nights, created the Privacy by Design model.
Todd: Was it well-received by the lawyers when you first presented it?
Ann: It took a while for them to buy in. I had to prove to them that it doesn’t detract from the law but rather enhances the law by offering a means to proactively introduce privacy-protective measures into an organization’s operations. Privacy by Design essentially bakes privacy into the code so people can’t forget about it or overlook it. As soon as they understood that fact, they saw Privacy by Design as a way to reduce the number of privacy-related incidents, which means the law could remain focused on the more serious things that cannot be prevented. And not long after I introduced this concept, I was appointed Privacy Commissioner, which was very unusual since those roles are typically only filled by lawyers and I was a law psychologist.
Todd: And, after that, Privacy by Design just took off, right?
Ann: Yes, it was voted in unanimously as an international standard in 2010 by the National Assembly of Privacy Commissioners and Data Protection Authorities. It has been translated into over 40 languages. And the essence of it was included in GDPR, which was a milestone for subsequent new laws – such as the one Brazil introduced in 2021. But what’s great is that GDPR didn’t just leverage privacy by design as a “guide.” It made privacy the default setting, which is actually the second – and arguably most important – principle of privacy by design.
By making privacy the default setting in every part of an operation, people don’t have to request that their privacy be protected by the organizations with which they share their data. It’s automatically embedded in every operational procedure, policy and practice. People love that because it grows loyalty and trust.
Todd: You mentioned “privacy as the default setting” as one Privacy by Design principle. What are the other principles?
Ann: There are seven principles in total…
Be proactive, not reactive. Ideally, let’s prevent the privacy harms from arising.
Privacy as the default setting, which we already discussed. Bake it into all that you do so that it can’t be forgotten or overlooked.
Embed privacy into design. This just means you bake it into the code – you make it an essential component – so that it can’t be forgotten.
Full functionality. You must abandon zero sum mindsets. It can’t be privacy versus security or privacy versus data utility. It’s never privacy that wins in those conversations – nor should it. But it shouldn’t always lose, either. So, I always recommend a positive-sum model, when enables you to have privacy, security, data utility and even marketing!
End-to-end security. Some people think that so long as you have privacy policies in place that you can forget about security. But that’s not true. In this day in age – with phishing and hacking attacks – if you don’t have a solid foundation of security from end-to-end with full lifecycle protection, you aren’t going to have any privacy. So, please, start with a solid foundation of security.
Visibility and transparency. You have to keep the data open to the data subjects to whom it relates. I always tell government and private sector organizations, “You may have custody and control of someone’s data, but it doesn’t belong to you – it belongs to them.” So, please, give them a right of access to their data. Companies have told me they love this because customers monitor – and proactively update – data that they’ve given permission for those companies to use. So, it maintains the quality of their data.
Respect for user privacy. If you keep it user centric, focused on the user, all of this will fallout and flow from your focus on the user.
Todd: That seems so simple.
Ann: It is, and it has really withstood the test of time since first introduced in 1997. What’s interesting is that many people tell me there is a greater need for it now more than ever before because of the massive surveillance taking place and data brokers just grabbing people’s information when these seven Privacy by Design principles aren’t embraced. And some companies tell me they’ve gained a competitive advantage because they have the trust of their customers, which is huge considering how it is waning. Not only have they restored trust in a way that preserves their existing customers, but they said it attracts new customers. So, it’s a very positive move.
Todd: What do you say to people who believe privacy is dead?
Ann: It’s funny you ask because inevitably, someone will reach out to me on Twitter every day telling me to give up my efforts to protect privacy – that “privacy is dead” – and I always tell them that privacy is not even close to dead. It forms the foundation of our freedom. If you want to live in free and open societies, you have to have a solid foundation of privacy where individuals can have some control over the use and disclosure of their data. So, privacy will never be dead.
Now, the odds of securing that data have gone down with the massive growth of data brokers. It is absolutely becoming more difficult to protect our privacy. But that doesn’t mean we give up. We must work even harder to preserve it.
Todd: As we look at different generations, with respect to privacy, do you see variances in how privacy is valued?
Ann: Gen Zers are more concerned about privacy, which is interesting given that it’s waning with millennials. But I believe Gen Zers are witnessing how the loss of control over their data – their loss of privacy – affects their life. They are constantly being intruded upon, and they don’t want that. So, they are more actively fighting for privacy. That’s why I encourage companies – especially startups – to start with a good privacy base to give customers control over their data.
Todd: Do you see any organizations resist your recommendations?
Ann: Well, let me just say this: I know I’m the least popular speaker at marketing events because of the perceived challenges that privacy poses to marketing-related data collection and usage. But I’m not trying to make their jobs harder. I’m trying to protect the work they’re doing by simply advocating for transparency about data usage, security, and privacy policies.
Todd: And, like you said, privacy and security always go hand in hand, right?
Ann: Yes. This goes back to the fourth principle: it can’t be privacy versus security. There is no such thing as privacy if you don’t have data security. Likewise, privacy is never a substitute for security.
Todd: One of the biggest mistakes I see organizations make when it comes to data and device security is not using all the tools available to them. Would you agree it’s the same with privacy?
Ann: I truly believe that, in the beginning, companies mean well when it comes to privacy. They get consent and then use the data for the primary purpose and there’s no problem. But unless companies have a data map to track what happens to the data after that primary use, they can run into problems. So, that’s why I always tell them to create a data map to understand how other departments may be attempting to use the data – to identify those secondary use cases that could get them in trouble if out of the scope of the data subject’s consent. It’s one of the simplest tools to avert class action lawsuits that cost millions of dollars and shut down companies.
In other words, I absolutely agree there are many tools out there that should be used more consistently.
Todd: What are some of the privacy-enhancing technologies that organizations should be using?
Ann: I always point to encryption first – especially end-to-end encryption – because it’s amazing! If only you and the data subject have the encryption key, you can communicate securely and privately online. I’m not saying it’s impossible to break the encryption, but it’s very difficult.
The second tool or technique to consider is synthetic data. I know many government agencies and private sector organizations like to strip out personal identifiers because then they can use the data without the risk of violating the subjects’ privacy. The problem is that de-identification is becoming harder to do with the emergence of new technologies that make re-identification even easier. So, what synthetic data does is replace all the real-world data collected from people with artificially created data that retains the essence of the real-world data – and retains the data’s value – for organizations trying to understand market trends or uncover behavior patterns.
Todd: Do you think some organizations are playing the odds today and hoping that their current processes, policies and systems – or their current data collection and usage habits – are sufficient even to avoid privacy violations even though they know deep down they aren’t?
Ann: Yes, but only because they don’t understand the value privacy brings to their business. I’m invited to meet with a lot of C-level executives and boards, and when I first walk in, they are not happy to see me. But after 10 minutes of me talking about privacy as part a positive-sum model and how privacy builds customer trust and loyalty, they change their tune and are eager to learn more about the specific actions they can take immediately.
Todd: How does the increased use of artificial intelligence (AI), machine learning and facial recognition impact privacy?
Ann: It creates an even greater need for privacy engineering. You must always look under the hood to understand what these technologies are doing and then place controls accordingly, otherwise surveillance could run amuck. The increased use of these technologies also places a greater emphasis on what the Germans coined “informational self-determination,” which simply means that the individual must be able to determine the fate of their information. This could easily go out the window with AI if you aren’t constantly auditing what that AI is doing. You can’t just give people’s data away because it’s an AI using it versus a person.
Now, I’m a big fan of tech and believe it gives us tremendous capabilities we wouldn’t otherwise have. But we must always keep it under examination and know what it’s doing.
Todd: I was speaking at a conference recently in Rome, and the last presenter was a futurist who was talking about where things are going. And when he got to the “state of AI” portion of his presentation, he talked about how AI can still struggle to distinguish between pictures of blueberry muffins and dogs. It was fascinating because we may assume AI is more mature than it really is when it comes to such distinctions. So, it had me questioning whether we can we really trust AI to protect privacy or whether we’re going to find ourselves making decisions based on a barking muffin.
Ann: That’s too funny. But what that says to me is that, in the coding of the AI, that we must have someone who knows privacy involved in the drafting to embed those principles in the AI.
Todd: So, how do we influence an organization to take on this role of privacy and put more investment into it than just saying “let’s check these boxes”?
Ann: Tell them to call me. I’m happy to show them how privacy can be a win-win for their organization and for their customers. We have to bring the benefits – the direct returns – to their attention. I’m happy to talk to them about how privacy is essential to creativity and productivity. Just look at Steve Jobs. He was a strong advocate for privacy because people have to be able to engage in innovative, out-there thinking freely without worrying about them constantly watching over them or criticizing what they’re doing. Even within our households, we need a certain level of privacy and freedom. Otherwise, people will constantly be looking over their shoulder, afraid that something they say or do will become a point of contention with others even if it shouldn’t be.
Todd: What do you think about device security today? If organizations are using all the security tools available to them, can we achieve total security and privacy protection? Or is there something else they should be doing?
Ann: We live online, so security is absolutely critical to preserve that privacy. I’m not a CISO, so I’m going to answer this in the context of privacy. If you want to give people the option to opt-in, to give their privacy away, that’s fine. But they shouldn’t have to opt out. They should have to say “yes, you can use my information” versus “no, you can’t use my information.” So, if you want to protect people’s privacy as an organization, which you should for many reasons, then do make sure you’re leveraging every available device security measure offered. If you aren’t, then you are potentially putting privacy at risk because data privacy is dependent on data security. If a device is hacked and information is accessed, privacy goes out the window because bad actors can take that information and use it in any way they want.
Todd: Do you think more organizations should outsource technology solution management for the sake of data/device and cybersecurity?
Ann: I think it’s very important to have strong in-house teams focused on both privacy and security, but they must speak with one another and work together for reasons I’ve already explained. That said, I do think it’s critical to leverage outside experts as well to supplement the expertise and resources of in-house teams. They can help ensure the organization is using all available security and privacy tools.
Todd: Is there anything that organizations often get wrong when integrating privacy into their workflows?
Ann: Yes. They forget that they cannot use collected data for anything other than the primary purpose to which the data owner agreed. The consent is very specific. The data subject did not give the organization carte blanche permission. If an organization wants to use it for a secondary purpose, it must go back to the subject for secondary use consent.
Todd: What are the fundamental cybersecurity practices that you believe every organization should embrace? Or perhaps bad habits they should break?
Ann: I’m such a fan of encryption because its strength can’t be overstated when it comes to security and privacy. It is also flexible in the sense that it can be deployed from department to department as needed. I do urge companies to be careful using certain technologies for security, though – especially facial recognition. One-to-one facial recognition technology works beautifully, and accuracy is high. But one-to-many facial recognition can be a nightmare due to the lack of accuracy and high rate of false positives.
Todd: Why do you believe organizations are not using the security tools inherent in today’s hardware and software platforms?
Ann: They may not have them built into their operational processes, which is so essential. If the security tools are embedded into processes, it’s hard for them to go unused. People don’t have to remember to use them. Many departments may also believe the security team is already thinking about and implementing all potential security measures across their functions. But that’s not necessarily true. It’s the responsibility of all employees to question whether security tools are already embedded or whether they need to personally invoke some measures when working on projects.
Todd: What's the best way for a company to assess its current security strength and identify vulnerabilities? And is there even a single best way?
Ann: It depends on the nature of the organization and whether there is a dedicated security department or not. But, either way, I always recommend hiring an independent security consultant to come in and look at your operations. They are not committed to doing things the way you do them today, so they may be able to find areas for improvement that you would otherwise miss or fail to prioritize. The cost is not that great, and the return is significant.
If you would like to hear (and learn) more from Todd and Ann, tune into the CISO Stories podcast here.
About Our Experts:
Dr. Ann Cavoukian
Dr. Ann Cavoukian served an unprecedented three terms as the Information & Privacy Commissioner of Ontario, Canada. There she created Privacy by Design (PbD), a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices, thereby achieving the strongest protection possible. In 2010, International Privacy Regulators unanimously passed a Resolution recognizing Privacy by Design as an International Standard. Since then, PbD has been translated into 40 languages! In 2018, PbD was included in a sweeping new law in the EU: the General Data Protection Regulation.
Dr. Cavoukian is now the Executive Director of the Global Privacy & Security by Design Centre. She is also a Senior Fellow of the Ted Rogers Leadership Centre at Ryerson University, and a Faculty Fellow of the Center for Law, Science & Innovation at the Sandra Day O’Connor College of Law at Arizona State University. You can connect with Ann on LinkedIn.
Todd Fitzgerald promotes cybersecurity leadership collaboration and serves as the Vice President, Cybersecurity Strategy, Cybersecurity Collaborative. He also hosts CISO Stories Weekly Podcast. Todd authored four books, including #1 Todd Best Selling (2019-2021) and 2020 CANON Cybersecurity Hall of Fame Winner CISO COMPASS: Navigating Cybersecurity Leadership Challenges with Insights from Pioneers and ground-breaking CISO Leadership: Essential Principles for Success.
He was named 2016–17 Chicago CISO of the Year and ranked as a Top 50 IS Executive. Todd’s multi-industry global/Fortune 500 company CISO/senior IT leadership positions include Northern Trust, Grant Thornton International, Ltd, ManpowerGroup, WellPoint (Anthem) Blue Cross Blue Shield/ National Government Services, Zeneca/Syngenta, IMS Health and American Airlines. You can connect with Todd on LinkedIn.