08 January 2020

SECURITY GYAN Bytes : January 2020 : 08th January 2020

Dear Tech Leader,
A very Happy New Year 2020 to you and to your family. We are starting new
year with our Security Gyan Bytes. Today we are going to discuss a very
important topic Privacy.

Privacy by Design (PbD)
We live in the data economy now; most of the digital innovations revolve around
the utilization of the data better and make more informed decisions. So
essentially data is the key to more revenue, new innovative products and fuels
for better customer service. All big tech innovations that you see around like
Facebook, Uber, Airbnb and million other apps are all in the market due to their
unique ability to process data.

Since the GDPR, Privacy laws around the world have started to gain attention.
Indian data protection bill has also been put across the cabinet and will soon
become law. All these laws revolve around the protection of data; as companies
collect data to run their businesses it becomes their responsibility to protect
the data. If the data gets leaked or gets into the wrong hands it not only affects
the bottom line of the company but also could negatively impact the person
whose data has been collected. Just to quote an example, British Airways faced
fines of up to £183.39 million as they were not able to protect their customers'
credit card details.

In this article I’d like to share one of the core tenant of privacy laws - Privacy by
Design (PbD); under GDPR it is mandatory for organizations to
comply with. Like security, privacy too must be addressed adequately by
organization and PbD provides a good founding stone.
Privacy by Design (PbD) is a framework developed by Ann Cavoukian
(former Information and Privacy Commissioner for the Canadian province of
Ontario.) The framework helps an organization address the privacy
requirements throughout the system engineering process. Whether it is
product development, software development, IT systems designing; mobile app
development; organizations can use this framework and establish a good
privacy foundation.

The 7 Foundational Principles of Privacy by Design are presented below
1. Privacy as the Default setting
2. Proactive, not Reactive; Preventative not Remedial
3. Privacy Embedded into Design
4. Respect for User Privacy -Keep it user-centric
5. Visibility and Transparency
6. Full Functionality – Positive-Sum, not Zero-Sum
7. End-to-End Security – Full Lifecycle Protection

Below I’ll quickly summarize the 7 principles:
1. Privacy as the Default Setting
This principle keeps the ignorance of end-user in mind; it stresses that the
end-user of your product/offering shouldn’t be bothered with selecting an
appropriate setting to protect his/her privacy. The solution should automatically,
by default protects users' privacy. Privacy protection should be a default setting,
no user action should be required to protect their privacy.

2. Proactive, not Reactive; Preventative not Remedial
As Dr. Steven Covey said in his 7 habits of highly effective people – begin with
the end in mind. That’s the crux of this first principle. The privacy should be Job
Zero like security; think about privacy before you start any new project, process.
Think about what privacy issues can be there, brainstorm with your team and
identify problems before they arise rather than providing fixes later on when
they show up.

3. Privacy Embedded into Design
Privacy measures must be embedded into the design and architecture of IT
systems and business practices; they should not be bolt on later. Privacy
controls should be baked into the overall design of the system and should not
be considered as additional controls later on.

4. Respect for User Privacy -Keep it user-centric
Keep the interest of user privacy as the top priority; organizations while
designing their solution must ensure that they address the privacy concerns of
end users – it can be demonstrated in many ways like easily understandable
privacy notice as compared to complex legal jargon. And like not having pre-
checked boxes for marketing emails etc.

5. Visibility and Transparency
Trust but verify; is the crux of this principle. It states that organizations collecting
data must be transparent with data subjects about their processes – why data
is being collected, who will have access to data, which location data will be
processed at; and be auditable that their data is only being used for the
purposes as stated.

6. Full Functionality – Positive-Sum, not Zero-Sum
The privacy shouldn’t be considered as a trade-off between security or
functionality. It should be considered as if you increase the privacy, security or
functionality of your project/product/offerings will be lowered down. Rather this
principle says you can have both privacy along with security without decreasing
each other’s significance.

7. End-to-End Security – Full Lifecycle Protection
Security should be considered throughout the lifecycle of the data. Privacy by
Design, having been embedded into the system prior to the first element of
information being collected, extends securely throughout the entire lifecycle of
the data involved —strong security measures are essential to privacy, from start
to finish. The organization should draw data flow diagrams and identify where
are data resides, and apply required security controls as each step to ensure
that data is adequately protected.

[Views expressed by me in this article is completely mine and in no way be
construed as the views of my organization]
This Gyan-Byte is contributed by Vikas Arora. He is
currently the Vice President – Global IT & Security
of Toluna. He has more than 23 years of work
experience in the IT industry and is passionate
about cybersecurity. He also works as a virtual
CISO for various organizations and speaks at
various national and international forums.
Twitter: @techievicky