“What makes the exercise of making privacy-ready systems challenging, is that the notion of privacy may mean many different things to people, and it depends on various factors like our habits, the technology we use (the data that we think is anonymous today, may not be so tomorrow!) and the specific situations we find ourselves in. What once was perceived as a right to be left alone in the physical sense, has evolved into a complex patchwork of requirements on data handling in the digital domain. ”
Greetings to all our partners and friends all over the world on the international Data Protection Day 2022! Every year, Data Protection Day as a global awareness raising initiative brings privacy and data protection issues to the focus, and we at Cybernetica are proud to celebrate privacy as one of the corner stones of our products and business.
Privacy as a complex and many-faceted concept is sometimes perceived as something controversial or hard to attain. Here’s a short take on why we at Cybernetica believe that well thought through solutions can take away a lot of that pain and help build trust in a digital society.
Keeping privacy rights in focus
Considering the scope and depth of digital transformation which is on-going in many corners of the world, the standards for protecting individual privacy should be set high. Future-proof data technologies, particularly federated digital services must be built as **privacy-ready ** as possible. Cybernetica’s experience over the last couple of years has provided convincing evidence that our solutions that support compliance with different requirements of GDPR (and other privacy regulations) not only create credibility for service providers, but enable efficiency and open new business opportunities.
There are many possibilities for creating systems which give more control to individuals - be it providing easy and secure means for managing their consent for data processing, sharing only a limited set of credentials instead of a pile of documents, or being able to track the usage of personal data.
What makes the exercise of making privacy-ready systems challenging, is that the notion of privacy may mean many different things to people, and it depends on various factors like our habits, the technology we use (the data that we think is anonymous today, may not be so tomorrow!) and the specific situations we find ourselves in. What once was perceived as a right to be left alone in the physical sense, has evolved into a complex patchwork of requirements on data handling in the digital domain.
In order to navigate this complexity, we suggest a few simple principles to help design technical solutions that are not only privacy-friendly, but flexibly enable organisations to enhance privacy in their business and other processes.
Building blocks of designing privacy-ready solutions
First, define the context for privacy. Privacy is rooted in actual circumstances, it cannot be determined in general abstract terms.
Each technical implementation requires customisation to local jurisdiction and relevant business domains. Moreover, there are always certain actors and business processes involved when using personal information in a professional or commercial context. Any business use case is typically defined by the following questions:
- Why is personal data used and what for?
- Which data specifically is needed to complete the intended tasks?
- Who needs to be involved in processing the data in order to achieve the desired result?
Note that the same questions also come up in architecture design analysis, security analysis, legal analysis and data protection impact assessments – business analysis determines the quality of other types of analysis in the later stages of developing solutions for the business use case. It thus makes sense to dedicate enough time and resources to provide clear answers to these three questions.
Second, know your data. Privacy is boosted by data efficiency.
The better you manage your data, the more specifically you can design and engineer privacy. It helps you respect the privacy rights of people and is good for business at the same time – data that is cleaned and structured can be more easily adapted for different business use cases. It is reasonable to spend your resources only on the data that you actually need. Also, it is useful to be able to manage it easily – for example, the same tools that help keep data up to date can also be used to ensure people’s data protection rights (e.g. when a person notifies you of any out-dated information you have on them and requests it to be corrected).
When focusing on data efficiency in information systems this way, one actually already applies the statutory principle of “privacy by design” and privacy protection measures like purpose limitation, data minimisation and quality. Isn’t that a nice win-win?
Third, ensure security. Privacy relies on security and not vice versa.
In trust-based relationships, the whole business can be lost upon breach of privacy or security. Underestimating the privacy impact of fancy new technologies has sometimes backfired. Businesses and governments that can convincingly demonstrate that they have proper security measures in place, are more likely to gain the trust of people.
At the same time, having a very secure information system still does not guarantee that it is also a very private one. This is where security measures aimed at increasing transparency have a role to play. In a way, digital society has its advantages over paper-based administration. It is difficult to control who has had access to some paper files, but keeping logs or using other kinds of access tracking in secure interoperability systems can be a great tool for building trust. It is no coincidence that such logging and access tracking also help to fulfil the people’s right to information about their data.
More of privacy, please!
Over the last couple of years, it has been very interesting to see how privacy regulations are evolving in different parts of the world. This regulatory pressure is in a way signalling that privacy is more and more on the minds of people and on the agendas of legislators. And it also tells us that privacy-ready solutions are becoming an integral part of any digital society or societies on the verge of digital transformation.