Privacy by Design

By Tony Marshall

Intelligent PbD strategies can future proof brands for compiance as legislation is coming down the track. This demonstrates important lessons in how to build trust. Consider Amazon One Click, which was way, way in front of the market. For some customers, it might have been switched on for 15+ years, having launched back in 1997. Highlighting the benefits of trust gained early in the relationship and showcasing that PdD is certainly not a new concept or a fad. It is here to stay so read on to learn more.

What is Privacy by Design?

Privacy by Design (PbD) is an approach that should be taken when developing products, services, good business practices and physical infrastructure to ensure that the privacy of individuals who will be impacted, is considered at the very start of the process.

PbD Applied – best practice in action

As a business, if you want to implement a new system or start using AI (for example), you need to ensure that any data processed is secure. You should follow the concepts of PbD and ensure you are mitigating risks before using the new system or AI.

For some brands, PbD is a fundamental tenant of their business model. Apple is a classic example of how to ensure privacy choices are considered front and centre. Clearly demonstrated in their latest iOs14 update video.  This is just one example, and in future, the processing of any data needs to have PbD baked into it. In the same way that brands such as Patagonia or Finisterre are disclosing their supply chains, they are also transparently explaining how data is being used and giving customers the right to opt out. This approach is paramount to integrity and building brand equity.

When you set up an account with Facebook, true PbD would mean that your profile would not be searchable; that no one could message you, or comment on, or even see a post you have published. Essentially, you would be anonymous from all other users and vice versa. PbD for Facebook would mean that a new profile would exist in their own Facebook world until they changed the settings of their own accord to allow people to see their content and find them via a search.

Why should I bother if Facebook doesn’t?

Of course, this isn’t the case because the Facebook model is founded on principles that “connects you with the people around you”. And so, they will balance the settings so that they are not 100% following PbD but equally aren’t allowing every person in the world to see someone’s full profile from the minute they set up an account.

You still have a choice, however legislation is catching up and you need to consider the risk of not implementing PbD to all new projects. Equally and importantly, you also need to consider the benefits of PbD.

At vvast, every new project has PbD baked in. So much so, that at the point of starting a new project, privacy has already been considered. It’s in the business plan and it’s part of the DNA of every new project.

Why PbD is worth baking in from the get go?

vvast adopts the mindset of ‘relentless R&D’ which explains how we ensure best practice, and PbD is at the heart of this ethos. Whilst PbD is templated into new projects there is a constant thirst to ensure changes in the law or emerging best practice are considered, keeping our protocols and procedures one step ahead so clients remain compliant and at the top of their game.

The benefits to vvast can be easily equated into time saving and ultimately cash generation. When PbD is so baked into process the time saved is immense, equally time is saved by vvast not having to unpick new projects to retrofit privacy.

For our clients there are numerous benefits. The YOTI app is a good example of PbD. When using the YOTI app you can prove you are over 18 without sharing any actual data. The age estimation tech instantly deletes the image after the result and is more accurate than humans. Furthermore, the app data is held separately and encrypted so even if you did manage to hack into it you wouldn’t find anything you could use. Just random bits of data.

Transport for London

Transport for London did an equally good job of embedding PbD into their wi-fi collection project. The entire project had PbD at its core: from conducting a pilot; engaging with relevant stakeholders; and hosting market research groups. They liaised with the UK Anonymisation Network and others regarding the pseudonymisation process.

Before the full go live, they had temporary billboard posters at the entrance of every station with permanent posters for when the temporary ones come down. They had dedicated webpages letting customers find out more info which published the DPIA and the findings from the pilot.

In a recent discussion regarding how PbD can assist in protection the data of vulnerable individuals, Tony Sheppard from My Data Protection World stated:

“In the same way we have learnt to cross the road, and take extra special care on busy roads, we also choose to hold the hands of children on the busiest roads.

We can think about the need for safe areas to cross, whether it is a zebra crossing, a pelican crossing, a lollipop man/lady but the core is that we know that there are people to be kept safe”

This is a great way of thinking about how vulnerable individuals data may be processed within your new project.

How to embed PbD?

There are lots of ways you can implement PbD easily and with no additional cost. Cultural implementation is vital to ensure that all staff are aware of PbD and shifting mindset to ensure PbD is considered for all new projects. This is a good place to start.

Make sure that all staff take a user-centric approach to all aspects of your business. Adopt a culture of Customer first to ensure thinking about how a user is impacted by a new project and establish a baseline for privacy. Avoid weighing up privacy vs revenue, if revenue impact comes into play, then PbD will not ever succeed. Conversely, you will be thinking about risk vs reward, profit not revenue and long term gain; and in so doing, you’ll be building for the future.

To conclude

Make sure that the full lifecycle is considered and not just the initial implementation. For example, if you plan to use a new system for five years, you must consider the following across the entire five years, not just the initial data upload:

  • How will data input be managed
  • How secure is your system? Can it be penetrated?
  • Are we compliant?
  • How can we futureproof?
  • What is the impact on your brand equity?

Two final pieces of advice:

  1. Proactively research security and get ahead of breaches by ensuring that applications are updated and that servers are tested for vulnerabilities on a regular basis.
  2. Write easy to read and accessible polices and notices for anyone whose data you process and be completely transparent at all times. If you can’t answer a fair question with a clear and honest and response then don’t do it in the first place.