PRIVACY

It is often said that you can have security without privacy, but no privacy without security.

While the internet was designed without security in mind, privacy wasn’t even considered.  It was only a matter of time before internet users, individual and corporate, began to monetize or utilize information harvested from those visiting their sites or figuring in their content.  My own introduction to privacy came in the 1990s, when it dawned on me that the Boy Scout troop address and activity bulletin board posted online could be seen by anyone, not just those in my organization. My, how far things have come since then.

The notion of privacy by design originated in Canada at the dawn of the information age, and now permeates much of our digital interaction. But to say that privacy law is settled would prompt howls of laughter at the next International Association of Privacy Professionals meeting (raucous gatherings of privacy lawyers and data protection officers that rival Wookiee mosh pits). National and state privacy schemes are emerging every year, with basic concepts like informed consent, adequacy and standards dominating conversations, stoking international rivalries and (at this point) guaranteeing full employment for armies of privacy professionals. 

A top resource for privacy law research is the International Association of Privacy Professionals.  [IAPP.org].  Here you will find information on national privacy regimes, Fair Information Practices, state and federal sectoral laws, and a legislative tracker. The IAPP also offers several certifications in privacy that are becoming more and more desirable as demand for privacy law specialists increases.  These include entry-level certifications such as the Certified Information Privacy Professional, and more advanced certifications such as the Fellow of Information Privacy and Privacy Law Specialist.

How Do You Ensure Privacy? (Meet Uncle IRDMO)

There are number of vectors on how to approach privacy law.

The first approach is almost exclusively compliance-based. "What do we need to do under applicable law?”, or, more cynically, “How do we keep the authorities at bay?” This approach is both practical and understandable. Many companies just want to do the right thing, and may not have the resources or the vision to appreciate how to do that most efficiently.

Under capability model theory, which assesses company organizational sophistication, such companies have either an ad hoc or repeatable approach to privacy, but don't approach the higher levels of documentable, measured, or optimized. (The acronym IRDMO typifies capabilities: Initial, Repeatable, Documented, Managed, Optimized.)

Under this compliance-dominated approach, security usually takes center stage. This is to be expected. Security breaches can result in significant liability, or in compromise to company assets. It is no wonder that many privacy attorneys (including outside counsel, which most often function as privacy and security EMTs) focus on security and data breach response as their primary task, and don't really address the larger issues of privacy by design (which is ultimately optimization).

The second approach is more advanced than the first, with a decided effort to understand why privacy matters rather than just reaching full compliance. Rather than doing, fro example, privacy impact assessments because the law requires them, a company will deploy such assets because they appreciate the efficiencies they ultimately inject. A company taking such an approach is moving up the optimization scale towards a documented approach, with those entrusted with data understanding the reasons why privacy is important and using tools that will allow for optimal privacy protection.

The final approach embraces true privacy by design, as that concept was first set forth by Ann Cavoukian, the Canadian privacy official who first described the concept. Privacy by design approaches optimization and reflects a true "building in" versus "bolting on" of privacy controls. Implementing privacy design requires a substantial commitment of personnel and resources that ultimately will not only yield a better privacy protection regime for an entity’s data subjects, but, most important, lower ultimate cost for privacy program implementation and compliance. One of the best resources that I've encountered in understanding privacy by design is Strategic Privacy by Design by J. Jason Cronk, published by the IAPP. Trying to summarize that tome is beyond the scope of this website, but is well worth your time (it is well written and a quick read).