Home » cyber security » Privacy by Design for Data Protection: Useful or Useless?

Privacy by Design for Data Protection: Useful or Useless?

Privacy by Design (PbD) is a data privacy and protection concept developed by our friendly Canadian neighbors.

In general, PbD espouses the embedding of data privacy elements into organizations’ technologies and business practices. The goal is to bake privacy into the data life cycle, thereby foregoing the inefficient ad hoc privacy bolt-ons that we’re all familiar with.  It’s great in theory. But is it possible in practice? If possible, is it even feasible?

Maybe…but first, let’s outline some more information about PbD.  As stated on privacybydesign.ca:

Privacy by Design is a concept that was developed by the former Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, back in the 90’s, to address the ever-growing and systemic effects of Information and Communication Technologies, and of large–scale networked data systems.

At the time, the notion of embedding privacy into the design of technology was far less popular – taking a strong regulatory stance was the preferred course of action. Since then, things have changed considerably and the Privacy by Design approach is now enjoying widespread popularity.

Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with legislation and regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.

Organizations that want to implemented Privacy by Design can follow the seven PbD Foundational Principles:

1. Proactive not Reactive; Preventative not Remedial. The PbD approach must be implemented using proactive rather than reactive measures. Properly structured, PbD anticipates and prevents privacy-invasive events before they occur.

2.  Privacy as the Default Setting. Sensitive, personal and other similar data is automatically protected by an organization’s IT system and business practices. To be effective, no action is required on the part of the individual to protect his/her privacy – it is built into the system.

3.  Privacy Embedded Into Design. Privacy is embedded into the design and architecture of IT systems, and business practices become an essential component of the organization. By embedding privacy, it becomes essential to the core functionality.

4.  Full Functionality – Positive Sum, not Zero Sum. PbD reconciles all of an organization’s legitimate data privacy interests and objectives in a positive-sum, win-win manner — not through a zero-sum approach, where unnecessary trade-offs are made. PbD avoids the false dichotomy if privacy versus security, and demonstrates that it is possible to have both without sacrificing the functionality of the other.

5.  End-to-End Life Cycle Protection. By virtue of PbD being baked into the environment, its concepts should thus be integrated into the entire life cycle of the data. Employing end-to-end privacy and data security capabilities prevent breach events or data loss because the data is handled appropriately from cradle to grave.

6.  Visibility and Transparency. The component parts and operations of an organization’s data protection program remain visible and transparent to both end users and providers. Allowing visibility and transparency is a fundamental data privacy concept, creates accountability and builds trust.

7.  Respect for User Privacy. PbD requires architects and operators to respect the interests of the individual by providing strong privacy defaults, adequate notice and consent functions, and empowering user-friendly options. PbD must bet user-centric. (For more information on these principles, click here.)

So back to my original question, is PbD even possible?


However, it can’t be implemented with a one-size-fits-all approach because its reach touches many disparate business functions. It’s not only focused on IT and technical stuff, or data governance and policy. And it’s not focused solely on an organization’s infrastructure and physical facilities. Since it can be applied to each and every one of these areas, separate strategies must also be applied. And you don’t have to engage in rigorous mental gymnastics to appreciate the different approaches needed to properly configure a firewall, draft a privacy policy or put a lock on a data center door.

In fact, PbD’s refusal to be pigeonholed into one single aspect of data privacy program governance is why it’s valuable. It can be leveraged to provide a true organization-wide tool that, if used properly, will be tremendously effective at modernizing a company’s privacy program. And, it’s still highly relevant considering how far U.S. businesses are behind the data privacy power curve.

While PbD is possible in practice, what about its feasibility? Does it require an unrealistic expenditure of resources? Will the implementation of PbD be at odds with other security initiatives? Is PbD overkill if existing compliance programs are in place? The short answer to all of these questions is: It doesn’t have to.

In business, cash rules. Accordingly, one significant obstacle to creating legitimate privacy programs is the perceived high cost of doing so. It certainly doesn’t make sense to spend a bunch of money without have a useful return, so what are businesses to do? One insight is that a lot of existing, in-house knowledge and capabilities can be re-purposed to align with data privacy initiatives. (IT, HR, legal and other departments probably know more about data privacy than you think.) Harnessing such talent will reduce the costs otherwise needed to go find it outside the company. Also, I wouldn’t be doing my job if I didn’t take another kick at data breaches. The cost of data breaches can be crazy, especially when compared to what it would have cost to create a privacy program focused on minimizing unauthorized disclosures of data.

PbD also integrates very nicely with the steps needed to establish a dedicated enterprise privacy program. (Read more about that here). So, if progress is already being made in creating enterprise privacy practices, PbD can acts as facilitator — not a hindrance. Along those lines, PbD already has a lot of momentum in practice. For example, the FTC has adopted many PbD concepts in the guidance it provides. International data sharing partners are far along in implementing PbD principles to bridge privacy gaps. And the U.S. commercial sector has seen PbD’s advantages.

Finally, and what I consider the most relevant point, is that PbD does not have to constrain business operations or adversely effect information security. There’s a long held tenet in the business world that in order to have a successful privacy campaign, information security must suffer. This is refuted directly by the fourth principle of PbD: Privacy and security can co-exist symbiotically! This is something I’ll discuss in a future post. So rather than discuss the privacy versus security debate at length, I’ll say that the PbD principles are themselves a roadmap leading to the harmonious integration of privacy and security. Perhaps this symbiosis is inevitable because it has to be.

About Joshua Merkel

Josh is Lunarline's Director of Privacy. He is a licensed attorney and holds CIPP and CIPM certifications. In addition to data privacy consulting, Josh acts as a subject matter expert supporting HIPAA compliance assessments, and leads FISMA/NIST efforts for several clients.