Year-End Learning Carnival: Get Free Courses and Up to 50% off on Career Booster Combos!
D H M S

Privacy by Design

‘Privacy’ might not have been given much attention a few years back, but it is one of the most important concepts in Information security today. With booming social media and mobile applications, personal and professional information is strewn all over the Internet. Making Privacy an integral part of every networked system and technology, organizational policy, design process, and planning operations right from the design stage is the primary aim of the concept of ‘privacy by design’ for any organization.

With most concepts in security being adopted from the design stage, can the concept of “privacy” be far behind? The seven foundational principles of Privacy by design wraps “privacy” into every device, protocol, and policy, thereby making privacy protection robust and strong.

  1. Proactive and not a reactive approach

At the outset, the very first principle of ‘Privacy by design’ states that Privacy should be a proactive approach rather than a reactive one. This proactive approach ensures that privacy risks are curtailed before they happen. As an example, this proactive approach ensures that data breaches are prevented from happening.

In addition, the first principle of PbD does not offer remedial measures if privacy breaches take place. This ensures that privacy practices are well thought out and designed accordingly, minimizing the risks. This indicates that:

  1. There is a strong commitment from the higher authorities to comply with the proactive privacy approach
  2. All stakeholders and user communities demonstrate a privacy commitment
  3. Poor privacy designs are anticipated, and they are rectified before beginning the proactive PbD approach
  1. Privacy as the Default setting

‘Data’ is supposed to be the new ‘oil,’ and it is surely keeping the Internet and many multinational organizations running. However, the Internet is running on many an innocent user’s data. In many cases, privacy and security settings are at their lowest level, and they have to be tweaked accordingly.

The second principle of PbD states that Privacy should be set to the maximum level in a default setting. This ensures that an individual’s personal data is safely guarded, and utmost Privacy is maintained even when the user does not tweak their privacy settings.

The Privacy by default’ setting falls in line with principles of FIPs or Fair Information practices, which include:

  1. The user should be intimated about the purpose behind the collection and storing of data
  2. Data should only be collected if there is a necessity to collect it
  3. Collection of personally identifying information should be kept to a minimum
  4. Personal information should only be used for purposes that are stated and should only be retained for the stated period of time and destroyed after that
  5. If the use of personal information stated is not clear, default privacy settings will apply
  1. Privacy must be embedded in the design

The third principle of PbD states that Privacy must be embedded into every technology, architecture, and operation of a system. The Privacy should never be an after-thought and should be adopted by every aspect of the system in the design phase by following fair information practices.

It should also be embedded in the design phase of a system by following the various standards and frameworks in a holistic, creative, and integrative way and be reviewed by external reviews and audits.

In addition, privacy risk assessments should be carried out, and these should list all the privacy risks and the measures taken to mitigate them.

  1. Privacy should be a positive-sum approach and not a zero-sum approach

The fourth principle of PbD states that when embedding Privacy into the design phase of a system, we have to ensure that we accommodate all the legitimate objectives of a system. This is known as the “positive-sum” approach, which is the exact opposite of the “zero-sum approach.”

In a positive-sum approach, all legitimate non-privacy objectives are also embraced, and none of the other business objectives are shelved. It enables full functionality of all business goals, unlike a “zero-sum” approach where business trade-offs are made.

In a positive-sum approach, both security and privacy objectives are met, and one is not favored over the other.

  1. End to end full lifecycle data protection

The fifth principle of PbD states that personal data that is collected from various users should be given maximum protection from the stage when the data is acquired to the time when it is deleted. Privacy of data must be maintained from the cradle to the grave of data. This is the full lifecycle protection of stored data ensuring maximum privacy.

  1. Visibility and transparency

Considering that Privacy is a sensitive matter, the sixth principle of PbD states that any business should function according to the rules and regulations stated and must be open to scrutiny by users and providers. This visibility, openness, and transparency establish accountability and trust among users.

It is important to trust the functioning of an open system, but it should be verified as and when needed.

This is how visibility and transparency map to FIPs:

The data collection process should be kept open and transparent to all stakeholders. All privacy policies and regulations should be documented before dealing with data collection from individuals. This should also be communicated to other third party vendors who deal with user’s personal data.

  1. Keep privacy user-centric

The last principle of PbD states that the user’s interests must be at the center of any privacy architecture and design.

By keeping the default settings of Privacy to the highest level and protecting the user is one way of keeping Privacy centered on the user. The user must be empowered with knowledge about their data and how it will be used and managed.

They will also have the power to access their data as and when needed and be able to challenge it over its completeness and accuracy.

These are the seven principles of ‘Privacy by design’ that seeks to bolster Privacy for individuals.

For more of InfoSec Train’s certificationsand webinars, do visit us at this link. https://www.infosectrain.com/

AUTHOR
Jayanthi Manikandan ( )
Cyber Security Analyst
Jayanthi Manikandan has a Master’s degree in Information systems with a specialization in Information Assurance from Walsh college, Detroit, MI. She is passionate about Information security and has been writing about it for the past 6 years. She is currently ‘Security researcher at InfoSec train.
Your Guide to ISO IEC 42001
TOP
whatsapp