The case for more rigorous cybersecurity and the protection of personally identifiable information is compelling. Consider the following facts:
- The Identity Theft Resource Center found that data breaches have increased 40% from 2015 to 2016, reaching an all-time high of 1,093 in the U.S. alone; and,
- The average cost per breach in 2016 is pegged at $4 million, up 29% from the year prior.
These troubling trends have prompted regulators to bolster data security and privacy legislation to impose stricter obligations on businesses and data controllers.
In the US, regulatory agencies have added more teeth to privacy enforcement actions. This can be seen in the Federal Communications Commission levying a fine of $25 million against AT&T for the unauthorized disclosure of 280,000 customer records.
In the EU, which has a historically high bar for privacy protection, the General Data Protection Regulation (GDPR) further strengthens and expands privacy rights. It spans data anonymization, the right to be forgotten and breach notification, with fines for non-compliance that may be as high as 2% of annual revenues.
Equally, data subjects face daunting challenges in providing informed consent to data processors who are collecting their personal information. A report by the World Economic Forum has found that, on average, data subjects have to invest 250 working hours, or 30 working days each year, just to read privacy notices in order to provide informed consent.
Privacy law attempts to strike a balance between privacy rights, social and economic utility and security interests. Universally accepted privacy principles, based the OECD Guidelines for the Protection of Privacy, include purpose specification associated with the collection of personally identifiable information, informed consent, limiting use for the specific purposes to which data subjects consented transparency, data quality, security, auditing and accountability.
The OECD Guidelines have been codified in various Privacy legislations across the developed world, including the US. The exponential growth of the volume, variety and velocity of electronic data represents challenges for data processors and data subjects. Sophisticated technologies such as machine learning, robotics, big data and IOT may potentially expose consumers to infringement of their privacy rights. They may unwittingly consent to using their personal information, or their personal information may be appropriated for nefarious purposes.
Can these vexing problems be solved through the application of technology? Can privacy rights be embedded within these sophisticated applications?
Privacy by Design is one such effort that attempts to embed privacy principles within systems and software. Formulated by the Privacy Commissioner for the Province Ontario, Privacy by Design encompasses seven foundational principles for embedding privacy within systems and software. Its overarching objective is to make privacy the default condition. It means that the application software by default minimizes the collection and use of personal information, includes de-identification, biometric encryption for secondary uses of personal information, end to end security, destruction of personal information and provide an intuitive user-experience that empowers consumers with privacy empowering options to exercise control over their personal information.
In an 1890 Harvard Law Review article, the authors coined the phrase “the right to be left alone” which is the key tenet of privacy law. Today, consumers are subject to unprecedented incursions to their privacy. Privacy by Design can bridge the gap between the social utility of technology and the right to be “left alone."
About the author: Andrew Pery is a marketing executive with over 25 years of experience in the high technology sector focusing on content management and business process automation. Currenly Andrew is CMO of Top Image Systems. Andrew holds a Masters of Law degree with Distinction from Northwestern University is a Certified Information Privacy Professional (CIPP/C) and a Certified Information Professional (CIP/AIIM).
[Note from JM: All this has me thinking about privacy challenges of managing increasing volumes of data, and particularly compliance challenges looming with the pending new European privacy rules - the GDPR. Andrew and I wrote a new eBook on the topic -- Information Privacy and Data Protection Regulation --The EU GDPR is Just the Tip of the Iceberg. Check it out.