Four years ago, data privacy was a known but little talked-about concept. The GDPR radically changed that. Since the European law was passed, we’ve seen privacy protection catapulted to the top of the business agenda and the bar for responsible data use raised by one new global directive after another. But the journey isn’t over yet.
From a consumer perspective, companies are still not going far enough to safeguard privacy: 85% wish they could trust them more with their personal data. Meanwhile, organisations face the double challenge of deciding how to ensure data approaches earn consumer approval now and align with the next change on the horizon.
It’s clear that dedication to following data regulation is strong, but in the age of hyper data sensitivity, focusing purely on the necessities isn’t enough. The motivation for building privacy into every system, process and practice shouldn’t just be about complying with the rules; it should also be driven by a desire to uphold the highest data management standards, provide quality service, and maintain trust.
Privacy by design needs to become the business default and achieving this will mean considering several core factors.
Complete our SAP x Data Natives CDO Club survey now, and help us to help you
Understanding privacy by design
Before organisations can master the privacy by design method, they need to appreciate its history. The idea isn’t new or specific to the GDPR; it dates back to the 1990s when Dr. Ann Cavoukian, then Information and Privacy Commissioner of Ontario, Canada, created a concept based on proactively protecting consumer rights.
Founded on seven principles, the emphasis was on making data security simpler by embedding privacy defences into all IT systems and business processes, without hindering functionality. Consumers wouldn’t have to take action, and nor would companies, because measures were already in place to secure information at each stage of the data lifecycle.
Now, default privacy is a core requirement of data law; particularly the GDPR. But returning to its original definition offers a valuable starting point for optimising data security. Privacy by design isn’t about ripping out and replacing tools or limiting their usefulness; it’s about setting up procedures that enable systems to efficiently and automatically protect data, as part of their normal function.
A unified view of data privacy
To ensure privacy protection is seamlessly threaded into every aspect of business operations companies must start by gaining a complete view of their current data management picture. The first step in this process is bringing all key stakeholders together — from legal, security IT and engineering to product and marketing teams — to evaluate how they are working with sensitive data.
The main focus should be on considering company-wide needs and what exactly is involved in meeting them. For example, that might mean pinning down what kind of data is needed for different functions, and then assessing the practicalities of using and keeping that data: where will it be stored and how long for? What are the associated risks and costs? What value does specific data bring to the organisation?
With this comprehensive overview, companies will be in a better position to identify where privacy by design measures can be improved. Assessment, for instance, may reveal some of the data that organisations ingest isn’t actually being utilised, indicating that the existing level of data collection can be reduced. Or companies might find that certain information is only used for a few days or weeks after collection, meaning storage timeframes can be shortened.
Additionally, this unified approach to assessment has multiple long-term benefits. Not only are all data use issues and requirements known from the start — minimising the potential need for future adjustment and disruption — but everyone also begins on the same page. With the entire organisation aligned, it should be easier and faster to apply a privacy first approach and mentality, across the board.
Choosing the right storage solution
Once companies know what data is truly necessary, the next priority is exploring the finer details of how it should be stored. Here, businesses need to follow the privacy by design principle of balancing protection and function: data handling must be safe enough to consistently shield privacy, but not render information entirely inaccessible. Aside from impeding system operation and transparency, this can make it hard to meet regulatory stipulations; such as complying with access requests.
The techniques companies can leverage to achieve the right mix generally come down to four choices:
- Select authorisation: this option seeks to limit risk by granting data access for specific individuals. As well as being straightforward to implement, the approach guarantees data availability for key people and purposes. But as a laxer form of security, it’s also unlikely to adhere with strict legislation across Europe and beyond.
- Data encryption: focused on obfuscating data to guard against any unauthorised access, encryption takes many forms. For example, data can be encrypted at different points in line with when risk is greatest; during storage, transmission, or access — even if permitted. It can also be continuously encrypted across its lifecycle. Offering a higher level of security, the main downside is longer processing to convert and extract information.
- Masked storage: as the name implies, this method is about changing the appearance of data; generally replacing attributes such as numerals while retaining format and length. In doing so, it masks personally identifying elements, but preserves data value. Again, decisions about how and when to apply masking can be made in line with whether companies want to protect certain areas or all data processes.
- Tokenised insights: much like masking, the premise of tokenisation is swapping sensitive data elements for non-sensitive equivalents, or tokens. The key difference is that full use of these tokens is exclusive to a secure tokenisation system. Tokens can’t be mapped back to data unless companies or approved individuals have access to the original tokenisation tool. Broadly speaking, this is one of the more robust methods and also comes with the additional benefit of flexibility, where data fields can be turned into tokens and back.
Privacy by design can be good for business
The driving motivation behind privacy by design was never to stop data use; it was intended to ensure data could continue to be applied by companies to deliver quality services, products and marketing, while keeping data safe. By providing a foundation for ethical data management, privacy by design has given companies a blueprint for running systems smoothly and securely, that also limits strain on consumers; offering them default control without having to jump through numerous hoops.
Taking firmer hold of data is challenging amid the constant influx of new standards and laws. But with more than eight in ten (83%) of consumers concerned about data privacy globally, it’s in the best interests of every business to prioritise data protection.
Businesses that make privacy by design a cornerstone of their core operations and technology, thereby demonstrating their commitment to protecting consumer rights can place themselves ahead of the curve. If it’s good for the consumer, then it’s also good for business.