Data Privacy, Data Security. Vol. I
Privacy, in general terms, is the right to be free from intrusion and interference. In common language, the right to be left alone. In the legal system of a lot of countries privacy is one of the fundamental human rights.
In terms of Information Technology, Data Privacy is the field related to the obtaining, handling, processing, and use of personal information and the rights of individuals in respect of their personal information.
The importance of the ways data is handled and what happens with it has risen very significantly over the last few decades with the accelerating advancement of Information Technologies. As the name indicates, it is a technology concerned with and fuelled by information. A technology where, like never before in the current history of humankind, data became a commodity like wheat, coal, or crude oil. And like any other commodity, it has a value, it has a price.
And some jurisdictions are attempting to curb the nearly unrestrained information greed of the IT-run industries. To protect its citizens’ right to privacy in the increasingly digital reality we live in the EU has introduced in May 2018 a legal framework that sets guidelines for the collection and processing of personal information from individuals who line in the European Union. The General Protection Regulation (GDPR) was designed to provide greater protection and rights to individuals altering the way businesses and organisations handle the information entrusted to them. This takes us to the next point.
Privacy and the software cycle – Privacy by Design (PbD)
Nowadays customers privacy is only an afterthought in the Systems Development Life Cycle (SDLC). Systems and applications are developed without the privacy of the end-user in mind. The general approach is to tackle data privacy after the software is shipped into production and issues start to be fixed when they are identified. But it doesn’t have to be like this, and it shouldn’t. A great reference for moving data privacy upstream in the SDLC is Dr. Ann Cavoukian’s principles of Privacy by Design which advance data protection and privacy in the design phase of a service or application. Because fulfilling statutory requirements of Privacy Policies informational pages don’t do much good without creating IT systems that securely store, share, and use personal data.
The seven principles of Privacy by Design are:
1. Proactive approach to prevent a breach rather than to remedy it
It is better to prevent a privacy breach in the first place rather than respond to it after it takes place. For this to occur thinking about privacy – data collection, retention, and use procedures – must be present at the beginning of the app or service development cycle to protect that user information.
2. Valuing privacy as the default setting
A service pr app should only collect the minimum type of user information it needs. This gives you less to protect and in case of a breach results in less damage.
In the traditional approach, there is a tendency to over-collect data with the view that some of it might be needed in the future.
3. Privacy embedded into the design
Authentication and encryption must be embedded into the design as much as functional capabilities. This includes testing for hacker vulnerabilities before the product is released. This means for privacy to be implemented at the same time as the functional capabilities.
4. Full functionality – positive-sum, not zero-sum
Privacy by Design favours the ‘win-win’ outcome seeking to accommodate all legitimate interests and objectives. It is possible to protect the privacy and ensure profitability.
5. Full lifecycle protection of the information entrusted – from input to deletion
Thanks to embedding Privacy by Design into the system before the first piece of information is collected, the data is protected at each stage of its lifecycle, through creation, sharing, retention, and finally, its elimination when it is no longer needed.
Encryption and authentication are the best ways to offer full lifecycle protection.
6. Visibility and transparency – keep it open
Communicating with stakeholders in a clear and understandable language so they have the confidence that the service is operating as promised in line with stated objectives and subject to independent verification.
8. Taking a user-centric approach
The information belongs to the user, and they can revoke their permission for it to be used at any time.