Privacy is a desire that has remained consistent throughout history across all human societies regardless of culture, religion or ethnicity. It has been an area that has long been professed by religious scriptures and by the human intelligentsia.
However, with societies’ transformation into the digital sphere, we are observing increased privacy risks caused by the overcollection and processing of personal data.
Privacy subject matter experts have advocated the need to bake privacy into design as a fundamental ingredient rather than adding it to an established product or service afterward. However, organizations are still battling with challenges to adequately embed privacy into the design aspects of a developed product or service.
Baking privacy into the design is much more than just integrating privacy into the different phases of systems or a software development lifecycle. It is more about performing a thorough assessment around the possible privacy violations that can take place and how they can harm individuals’ well-being and social liberty. The real issues creep up with a lack of substantial and objective controls implemented within a product or service.
While there has been remarkable work carried out by various experts in laying down privacy principles to be incorporated within design aspects, the abstract nature of privacy principles can impair organizations’ abilities to adequately build privacy into respective products or services. This allows escape routes to the product or service designers to interpret these principles in their own manner and claim to have adequately baked privacy within their services or products.
Amidst the lack of objective criteria, organizations struggle to objectively demonstrate their efforts in baking privacy within the service or product design. This often leads to scenarios where organizations may (fairly or unfairly) suffer the wrath of auditors or privacy harms may continue to occur.
These challenges have been reasonably addressed through the ISO 27701 Privacy Information Management systems standard, which lays down nine controls to be incorporated within the product or service to address privacy by design requirements.
In his paper on privacy design strategies, Jaap-Henk Hoepman laid out eight data oriented and process-oriented strategies. These strategies are further expanded upon by 26 tactics, enabling service or product designers to add more nuance to the privacy by design.
However, to implement these strategies and the underlying tactics, organizations may need to rethink and redesign the architecture around conventional databases, network domains and user domains through which the data traverses across the networks to enable the service.
In a quest to make personal data not linkable with reasonable efforts by the threat actors, it becomes necessary to alter the architecture by moving away from centralized service architectures to partially or fully decentralized service architecture. As we decentralize, there becomes an increased need for computational resources and human resources to manage additional service domains which ultimately adds to the overall product or service cost.
Such challenges impair smaller organizations’ capabilities to commit themselves to privacy by design in their products or services. Additionally, organizations also rely on off-the-shelf software, and the underlying architecture of database and applications is completely black box to them. Therefore, the privacy risks cannot be adequately ascertained or addressed unless the products have been certified against international privacy standards.
Privacy by design begins with a mindset and it therefore demands commitment and consistency to bake privacy in. Currently, we are collectively standing at a crossroads where the abstract nature of controls and principles create cushion for threat actors to circumvent privacy. There is a dire need to add more nuance to privacy controls so that they are verifiable and capable of being objectively assessed. Otherwise, we may run into a territory where privacy by design may be reduced to a privilege.
About the author: Muneeb Imran Shaikh is an Information Security & Privacy Consultant with expertise in strategy, program development, governance and compliance. Based in the Middle East region, he has worked with different clients from financial, governmental and telecommunication sector to help them in developing and implementing cybersecurity and privacy programs in accordance with their regulatory, legal and compliance requirements. He has contributed with his knowledge and expertise through various writings, podcasts, policy reviews and conference appearances. For more details, visit http://www.linkedin.com/in/muneebimranshaikh/.