If one were to chart the most important developments in the business landscape over the last 20 years, top of the list would surely be the growth of consumer data as a precious resource. Never before have companies had access to such powerful stores of business intelligence
If one were to chart the most important developments in the business landscape over the last 20 years, top of the list would surely be the growth of consumer data as a precious resource. Never before have companies had access to such powerful stores of business intelligence. Never before have they had such a pressing responsibility to manage that resource carefully. In 2019, data management is very commonly the difference between success and failure. The disastrous consequences of mismanagement can impact the company in question. More importantly, it impacts consumers that put trust in companies to protect their information.
If a business is serious about succeeding, it is imperative to build a dependable data privacy management operation from the ground up. That starts with defining a robust and comprehensive user data policy.
Let us walk through fundamental principles that should be top of mind for any team drafting such a policy. While some of these points may seem like common sense, too often in recent years common sense has been conspicuously absent in approaches to data management. Stick to these points, and avoid the mistakes of others.
As the final and the arguably most crucial principle of Dr. Ann Cavoukian’s “Privacy By Design,” this is a primary consideration for development teams at all times. Developing a reliable digital product is the sum of countless design micro-decisions, and at every step along the way, this is a question that is in the affirmative. If businesses respect the user first, then other conditions of a sound data policy come naturally. For instance, transparency and privacy as a default setting will logically follow.
Data captured is a crucial consideration for crafting a coherent data policy. In many parts of the world, it is a legal basis for data collection, and the law explicitly requires it. Article 5(1) of the GDPR stipulates personal data must be processed “lawfully, fairly, and in a transparent manner.” Also, it provided six conditions under which the collection of data can be considered lawful.
In Brazil, the LGPD lists ten conditions for the same. For private companies and brands, most often “legal basis” equates directly to “consumer consent.” Any team building data collection and management infrastructure must think proactively about consent as a system feature. Retro-fitting consent onto pre-built systems is a recipe for disaster….and legions of consumer protection lawyers licking their chops.
There is a temptation for organizations to pay too much attention to their shiny new data collection system. In reality, that is not enough. Orgs need to pay more attention to storage and theft prevention measures. Further down the list of an average marketing manager’s considerations might be the contingency plans for responding to a data breach.
However, technical teams can start prioritizing these concerns in the absence of instruction from non-technical members of the organization. After all, the legal requirements under GDPR are precise. Article 32 (1) mandates “a process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.” Furthermore, articles 33 and 34 detail the required responses to data breaches that include notifying both the relevant authoritative body and the subject. If an organization does not have processes in place for these measures to be carried out within 72 hours, then it holds liability regardless of whether or not damage results from the breach.
It is a non-technical principle that yields considerable technical implications for any data collection and storage system. As a governing principle, it is essential in helping dev teams make the right decisions at every stage of development. There must be a system for updating data policies and sharing with system subjects. There must be transparency at every juncture of the collection process. Additionally, there must be processes in place for handling Subject Access Requests (SARs) in a streamlined, efficient manner. The only instance in which the GDPR permits an organization to withhold personal data from a user request is likely to restrict the rights and freedoms of others (Articles 12-15), but this is a rare occasion and treated as the exception that proves the rule that withholding a user’s data from them is mostly forbidden under the GDPR and other comparable data policies around the world.
Published from our Privacy Magazine – To read more, visit privacy .dev
We enjoyed two great days of security and privacy talks at this year’s Symposium on Usable Privacy and Security, aka SOUPS Conference! Presenters from all over the world spoke both in-person and virtually on the latest findings in privacy and security research.
At Ethyca, we believe that software engineers are becoming major privacy stakeholders, but do they feel the same way? To answer this question, we went out and asked 337 software engineers what they think about the state of contemporary privacy… and how they would improve it.
The UK’s new Data Reform Bill is set to ease data privacy compliance burdens on businesses to enable convenience and spark innovation in the country. We explain why convenience should not be the end result of a country’s privacy legislation.
Our team at Ethyca attended the PEPR 2022 Conference in Santa Monica live and virtually between June 23rd and 24th. We compiled three main takeaways after listening to so many great presentations about the current state of privacy engineering, and how the field will change in the future.
For privacy engineers to build privacy directly into the codebase, they need agreed-upon definitions for translating policy into code. Ethyca CEO Cillian unveils an open source system to standardize definitions for personal data living in the tech stack.
Masking data is an essential part of modern privacy engineering. We highlight a handful of masking strategies made possible with the Fides open-source platform, and we explain the difference between key terms: pseudonymization and anonymization.
Our team of data privacy devotees would love to show you how Ethyca helps engineers deploy CCPA, GDPR, and LGPD privacy compliance deep into business systems. Let’s chat!
Book a Demo