Privacy by Design, Simplified!

Privacy by design, like security by design, is an essential part of the software development process and a risk reduction strategy for software engineers.?Going beyond the software engineering there are many facets to privacy by design, including emerging technologies and Industry 4.0 eco-systems as well as administrative elements (e.g. legal, policy, procedural), other organizational controls, and inter-operating contexts. Privacy by design evolved from early efforts to express fair information practice principles directly into the design, build and operation of information and communications technologies and resonate the efforts all the way into application and database systems, practices, and processes so that they ensure the existence of privacy from the very beginning while rolling out new project initiatives to engrave the broader systems and processes in which PETs were embedded and operated by default.

Broadly, The very need or notion behind Privacy by Design (Read, PbD) is to encourage business entities to become aware, adopt and implement strategic, technical and organizational measures and establish controls at the earliest possible stages while setting up?organizational priorities, project objectives, further into the design processes and planning operations, It is essential to deal with personal data of the users securely and treat privacy issues as fundamental tenet of the business value proposition. PbD proposed that for all consumer focused business entities data privacy must be part of the user-focused digital journey while designing secure and private experiences to increase brand trust, improving the product’s user-experience, and thus builds stronger relationships with the user audience. it is indeed a powerful narrative that continues to evolve alongside regulation and social conversations.

"While privacy by design has made significant progress in legal, technological and conceptual development, it is still far from unfolding its full potential for the protection of the fundamental rights of individuals. The following sections of this opinion provide an overview of relevant developments and recommend further efforts" - Giovanni Buttarelli, Former European Data Protection Supervisor?(EDPS)

Fundamental Principles

Today, many data protection legislations contain basic principles for safeguarding the privacy of data subjects with relevant requirements for data protection and security are contained in the data protection regulation, business practices and policies for data protection and information security, various security standards, codes of conducts, best practices or other relevant laws and regulations relating to the sector is driving Privacy by design by default to ensure that the information systems and applications we use fulfil these data protection principles safeguarding the rights of individuals.

For example while user is installing an application all settings should, by default, be configured to the most privacy-friendly setting. The user should be making a conscious choice to change the setting after the installation that may result in a less privacy-friendly configuration or intend opening up his information such as location, contact details or share the data with others. If the user wishes to use such features, he or she must actively choose to change the settings but should by-default be protected.

Additionally, Clear and concise information about how the personal data of the user will be used by the application or the business entity owning the application is fundamental to ensure protection of user rights. The software must make it easy for the users or data subjects to exercise their rights, such as access, information, rectification, restriction, and data portability. Principles of Privacy by Design (PbD) may thus be applied to all types of personal information, but should be applied with special vigour to sensitive data such as medical information and financial data. The strength of privacy measures tends to be commensurate with the sensitivity of the data. This may be accomplished by practicing the following seven foundational?principles:

• Proactive not reactive; preventive not remedial - The approach is characterized by proactive rather than reactive measures. It anticipates and prevents privacy invasive events before they happen. PbD does not wait for privacy risks to materialize, nor does it offer remedies for resolving privacy infractions once they have occurred, it aims to prevent them from occurring. In short, Privacy by Design comes before-the-fact, not after.
• Privacy as the default settings - seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy, it is built into the system, by default.

1. Purpose Specification.?The purpose for which you’re collecting the personal data should be specified before or at the time of data collection.
2. Collection Limitation. The collection of personal information should be limited to what is necessary for the specified purposes. The information should be collected by lawful and fair means.
3. Use/Retention/Disclosure Limitation.?Personal data should not be used, retained, or disclosed other than the specified purposes except if the user gives their consent or it’s required by the law.

• Privacy embedded into design - not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality. For example each and every Design requirement must accurately and comprehensively describe how the characteristics of each piece of software should be developed and how the functionality can be implemented and distributed in a safe and secure manner protecting the user data. It is important to choose a secure and common methodology, both for coding and for enabling the developers to detect and remove vulnerabilities from the code, while being written and tested for the desired functionality.
• Full functionality – positive-sum, not zero-sum - seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretence of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both.
• End-to-end security – protection across entire lifecycle– it is embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved, start to finish, end to end secure and safe.
• Visibility and transparency – keep it open – it offers assurance to all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification, all components, sub processes and operations remain visible and transparent, to users and providers alike. Remember, trust but verify
• Respect for user privacy – keep it user-centric – technology architects, product managers, developers, testers and operation engineers to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options for configuration and content ownership.

Organizations prone to regulations must put in place appropriate technical and organisational measures designed to implement the data protection principles effectively, integrate and demonstrate safeguards into the processing so that they can meet the regulatory requirements to protect individual rights. European union was the first who took the steps and established the GDPR, and now policymakers in other countries are working on laws and legislations in their country to define the data protection regimes securing the cyber future.

New data-conscious paradigm now poses a problem for artificial intelligence (AI) that thrives on huge amounts of data and the inferences thereof. We must figure out a ways to train machines on significantly smaller data sets while protecting the privacy and data of users, this will bring right balance between the digital wellbeing and intelligent automation. A new way of federated learning is now evolving as a method of training machine learning models in a way that the user data does not leave its location, keeping it safe and private wherein the process of learning takes place in a decentralized manner across a network of nodes/edge devices, and the results are aggregated centrally to create a unified model and?differs from the traditional centralized machine learning methods that require the data to be aggregated in a centralized location for learning.

From the industry standards perspective, ISO/PC?317,?Consumer protection: privacy by design for consumer goods and services, was developed by ISO/COPOLCO, the ISO committee that deals with consumer issues in standardization. Its remit is to develop a standard that will not only enable compliance with regulations, but generate greater consumer trust at a time when it is needed most via implementing the standard to help comply with regulations and avoid potentially devastating data breaches that erode consumers’ confidence in the digital world.

Implementation Approach

• The first step to establish PbD is to create awareness across all stakeholders and sponsors, this helps garner support and sponsorship at the big table.
• Identify the security risks at each level of your system and incorporate relevant measures.
• Audit your organizational data protection framework for potential vulnerable access points.
• Model a framework that protects the organization from?privacy attacks.
• Maintain and manage the PbD framework across all levels and perform regular audits to check if all parts of your systems, processes and data assets are secure and function well.
• Additionally, make sure to actively monitor all kind of user data that to collect, process and shares.
• Charity begins at Home, Respecting user privacy is the key to ensuring a trustworthy relationship. At time it may need for remodelling entire system and incorporating security measures at each step to rebuild the system.
• Finally, from user perspective, Empowering them with the knowledge by letting them know exactly what data is being collected, and what is the intent upfront and giving them more control and choice to opt out, if they desire so..

Globally, in most of the countries PbD adoption is not a mandated by law as yet thus remains as a best practice to help manage the data privacy aspects and is often criticized for the lack of practical guidance and too many open questions about its implementation. The regulations focus on the outcomes and effective controls of data protection and provide forthcoming suggestions /?recommendations around the principles of the PbD for adoption. On the other hand, in EU, PbD is now a legal obligation since the introduction of the General Data Protection Regulation (GDPR) in 2018 and infringement carries heavy fines, taking right steps towards the data protection and enforcements.

In India, The?Justice Sri Krishna Committee Report on Data Protection?commented upon incorporating organisational measures, broadly designed as ‘privacy by design’. Thus the?Personal Data Protection Bill, 2019 (“PDP Bill”)?introduces the concept of privacy by design policy for the first time in the Indian legislation governing data protection and privacy laws. The PDP Bill was introduced in the Lok Sabha on December 11, 2019 by the Minister of Electronics and Information Technology.

In Summary, Privacy is a fundamental human right that has become one of the most elusive and least understood topics of the Internet. However, the time is coming for change, and it’s up to us whether that’s going to happen wilfully or through regulation. Profiling, automated recommendations for biased decision-making and personalised advertisements have become part of our day-to-day lives without our knowledge or consent. These trends often involve collection, categorization and processing of personal and behavioural data on a large scale while users expect services to be secure and safeguard their privacy in an effective manner. Unlike the businesses who take take data protection issues seriously and build trust, most of the social media thrives on the data monetization. Thus, strong data protection measures are essential and be a competitive advantage for businesses that value and respect data privacy. Regulators and policy makers are defining the boundaries to operate in a fairness of respecting the user privacy, the intent will drive the PbD enforcement. The force is getting stronger day by day!

***

Apr 2022. Compilation from various publicly available internet sources, authors views are personal.

#DataPrivacy #Dataprotection #PrivacybyDesign #PET #Infosec #GDPR #Personaldataprotection #Cyberrisks #Softwareengineering