A lot can happen to sensitive customer data in 287 days, the average time it takes from identifying a data breach to containing it. In between, the damage done and costs to cover it all can be astronomical, reaching upwards of $4m on average. And that’s just costs to the business, not the individuals whose privacy was violated.
While cost avoidance may not be the noblest reason to implement proactive data privacy protection, the reality is that expanding digital attack surfaces and increasing privacy regulations worldwide make the case for organizations to adopt privacy by design (PbD) principles very clear.
Privacy by design (PbD) is a data protection concept that emphasizes building in the privacy of personal and sensitive information to any product, service, system, or process from the outset.
The practice of privacy by design is shaped by privacy by design (PbD) principles which act as a guide to reimagining everything from business operations to the development of new technology with data privacy at the foundation, instead of as an add-on or afterthought. As a human-centric set of principles, PbD provides a framework for a ‘privacy first’ approach that can be applied throughout an organization and embedded within business practices as well as products.
The concept of privacy by design was introduced by Ann Cavoukian, the former Information and Privacy Commissioner for the Canadian province of Ontario, in the 90’s. According to Ann, there are seven foundational principles of PbD:
It’s important to note that PbD is not a government regulation or industry standard such as PCI-DSS for digital payments, however the concept is now incorporated within the regulatory understanding of privacy, for example Article 25 of the GDPR is titled “Data Protection by Design and by Default.” Additionally, there is no specific guide or technical implementation manual for PbD.
Rather, PbD is about making a privacy paradigm shift. With PbD at the foundation, organizations can not only avoid the damage and costs of data privacy breaches (hint: it’s a lot more expensive to re-engineer privacy into a product than to build it in from the get-go) and protect customer and user data, organizations also stand to gain privacy as a competitive advantage.
Leading brands are racing to address the new privacy landscape, and many are adopting PbD principles as a means to create competitive advantage. Porsche for example announced a new privacy strategy aimed at giving customers full transparency and control over data processing inside their vehicles.
There are many high-profile examples of companies’ steps to address privacy needs with the design of their products or services. Apple is well known for its product design approach grounded in privacy by default, collecting only the minimum amount of data necessary to provide users with a product or service, and enabling users to control privacy settings. Apple made headlines when they moved asking for app tracking permission to front and center of the app download/update workflow.
And even Google recognizes that enabling more privacy is unavoidable, whether due to consumer pressure or regulatory demands, and recently rolled out several new privacy control features.
There are many benefits to adopting PbD for businesses that extend beyond avoiding the risks of taking a reactive, after-the-fact approach. Waiting until an incident occurs to address data privacy means incurring high containment costs and risking class-action lawsuits, brand reputation damage, and loss of customer confidence and trust. On the other hand, bringing privacy into the design of products and processes helps to avoid such risks and offers value-creating benefits, including:
As you evaluate products and business processes for implementing PbD, it’s essential to consider all types of data in the design of privacy protection. While the first things people think of when considering data protection tend to be names and addresses, social insurance numbers, and similar personal information, the truth is visual data contains some of the most fundamental and highly visible parts of an identity, namely faces and bodies.
To start proactively addressing potential privacy issues, assess the life cycle of all business data. That means taking stock of every data source to understand what it contains and why, at every stage from collection and use through to storage and disposal.
Ideas for getting started applying privacy by design in business:
Wherever you begin applying privacy by design principles, it can help to keep in mind a few essentials to include on your implementation checklist:
Paradigm shifts are certainly easier said than done. Privacy by design principles emphasize starting at the beginning of any process, product, or project for the very reason that privacy is meant to be foundational; however, in most cases starting fresh with privacy principles is not an option. Be prepared to address the challenges of incorporating privacy by design by considering, for example:
Increasing privacy regulations worldwide, coupled with more businesses starting to understand the importance of privacy by design to consumers, paints a positive picture for the future of data privacy.
The future of privacy by design is supported by privacy enhancing technologies, or PETs for short. PETs represent a wide range of tools that are intended to make it easier to harness the value of data without compromising privacy and security. In particular, data encryption and anonymization tools serve to enable businesses to realize the value of data without privacy trade-offs.
As a PET, Super.AI offers no-code AI for data redaction. Built on our Unstructured Data Processing (UDP) Platform that combines the best AI models with human-in-the-loop, Super.Redact delivers the highest detection accuracy and near 100% anonymization quality at speed and scale for documents, text, images, and more, enabling you to process and redact private and sensitive information from high-volume data in just a few seconds.