A common privacy challenge is the use of COTS (Commercial Off-The-Shelf) solutions which can be solved by carrying out data privacy impact assessments. This involves cataloging all the data that will be exchanged with new partners and vendors. After this, technical controls are decided upon and once the product is built, the controls are revised. Data minimization and monitoring should also be done.
Implementing privacy by design requires collaboration between all the teams in an organization. One can form a data privacy office to carry out such conversations and planning. A shift in the overall culture to become more privacy oriented is necessary to comply with regulations and protect one’s reputation as well.
* COTS Solutions: Commercial Off-The-Shelf Solutions
* Wrappers: Smaller software libraries which allow one to filter the kind of data inputs that are going in, and also build access restrictions in terms of the data output that is likely to be shared with somebody else.
The use of COTS solutions brings about many privacy challenges since due diligence before incorporating them may not include various aspects such as privacy by design. Three facets to implementing privacy by design in COTS solutions:
- Is this a situation where one needs to deploy contracts to be able to take care of it?
- Can one build wrappers around the COTS that are able to filter and manage data sharing in their connections or not?
- Can one redo certain parts of the COTS, as required?
One way to combat this issue is by carrying out data privacy impact assessments. In this process, every time one engages with a new partner, supplier, or team, they come up with all the data that is going to be exchanged at the time of development or during the lifecycle of the product. This data is cataloged, and then technical controls are agreed upon. Then, towards the end of the development process, one goes back and validates if those technical controls are implemented in the way that they were meant to. While there are challenges with systems that were already designed, one can always begin and then eventually move in the direction where all of this data is identified right as a part of data privacy impact assessments. Other methods that can be used are data minimization and monitoring.
More awareness in the tech ecosystem would go a long way, such as understanding the basics of encryption, it’s different stages, and why/where it is used. A change in mindset and culture is very important to be more privacy and data governance oriented. It is best to assume the worst case scenarios and prepare to avoid/handle those.
Regulations do pose a challenge to most organizations, especially start-ups. However, it is important to keep in mind that one could lose their business in multiple regions if they don’t comply with the privacy regulations of that region, not to mention the heavy penalties that come with non-compliance. It is helpful to have a data privacy office that has representation from different parts of one’s organization. Here, everyone can give their point of view and then choose a balanced approach in terms of going forward. For pre-existing systems, organizations can implement privacy to an extent and build over time. This helps to balance convenience and privacy.
Privacy and security is becoming an interdisciplinary practice where teams across organizations are involved. New teams are being formed with members from the tech, legal, sales, business, security, etc. teams to collaborate and implement privacy practices. Nowadays, a lot of people are realizing that privacy is not only important for regulation compliance, but also for reputation. With the rise of social media, news or privacy breaches circulate much faster, and hence, it is critical to speed up the process of adopting privacy guidelines and security best practices.
Although there is a lot of overlap between security issues and privacy related issues (i.e. if there is a personally identifiable token, it’s a security issue, but it has privacy implications). What one can do to handle this issue is to define a set of controls that have security implications, and another that only have privacy implications because the audience that deals with the solutions to both these problems may be distinctly different. So, if there’s a security issue that has privacy implications, then one has a team that will come forward. On the other hand, if there’s an issue that is purely privacy oriented, then another team decides the way forward.