Ann Cavoukian is executive director of the Global Privacy and Security by Design Centre and the former three-term information and privacy commissioner of Ontario. Darren Entwistle is president and CEO of Telus Corp.
In our digital world, privacy has become a significant concern for Canadian consumers, businesses and governments. New and emerging technologies are shaping the way we create, store and share electronic information, which in turn is presenting challenges regarding the manner in which our personal data are being used and managed. It is critical to address both the privacy rights of citizens, along with data utility for businesses – namely the ability of businesses to leverage the data collected – when determining the best way forward.
As news of data breaches and questionable information-handling practices appear in the media all too frequently, consumers are increasingly skeptical about relying on corporations to act in their best interests when it comes to safeguarding their privacy. By way of example, 2019 saw several large breaches affecting millions of Canadians.
Consequently, those organizations that prioritize the privacy of their customers gain a corresponding competitive advantage; by actively protecting the integrity of customer data and supporting consumer privacy, companies not only realize meaningful economic benefits, but also build greater trust and create deeper customer connections.
Perhaps the most effective way to earn a reputation as a trustworthy steward of customer data is to embed the seven foundational principles of Privacy by Design (PbD) into a business. PbD states that relying on an after-the-fact regulatory framework that simply enforces privacy protection after a data breach or privacy infraction has taken place is too little, too late. It establishes a pro-active model of prevention, tasking businesses with enshrining pro-active privacy measures as their default organizational protocol by building them into their policies, procedures, design processes and products. This is achieved by adhering to the foundational principles that make up PbD, all of which are intended to promote a “cradle-to-grave” life-cycle management of information.
One key principle centres on the need for organizations to adopt a preventative approach to privacy, which means literally embedding privacy protection into the design of a service or product and rendering it as an essential component of the core functionality being delivered without diminishing product value. When done correctly, no action is required on the part of the customer to protect their privacy – it is already built into the system by default.
It is critical for this pro-active approach to be underscored by a commitment to visibility and transparency, with organizations providing insight to customers about what information is being collected, why, and for how long. Proving that you employ a user-centric approach to privacy will promote trust among your customers, and will reassure them that you are seeking to accommodate all legitimate interests and objectives while avoiding trade-offs and false dichotomies such as “privacy vs. security.”
The idea of trade-offs can be incredibly damaging. In fact, the notion that a service’s value must be sacrificed in order for privacy to be done properly is one of the primary misconceptions about privacy planning held by companies, and may help explain why privacy protections are often left out of early planning discussions. Companies need to understand that there is no balancing act required, as privacy doesn’t come at the expense of other benefits. Rather, it reinforces them.
Organizations that understand this dynamic will have a significant advantage as we transition into the exponential growth of data-driven applications that are coming with 5G. Large companies such as Telus, which is the only telecommunications company to have secured PbD certification, have to make significant efforts to embed the PbD framework into their operating model, but the rationale is clear: Putting customers first means putting privacy first. As it is entrusted with protecting the thousands of terabytes that flow through its networks every day, Telus’s decisions about data are always taken with the best interests of customers in mind. And the same principles apply to smaller companies – integrate.ai, a provider of ethical AI solutions, has secured PbD certification, thereby formalizing its commitment to data-use best practices in AI marketing.
More broadly, companies need to understand the importance of upholding the privacy rights of their fellow citizens in our increasingly digital world. Organizations that are keen to put privacy at the top of their priority list and make a genuine commitment to safeguarding the privacy and integrity of their customer data should work to embed the seven foundational principles of PbD into their business models. It may seem like a major undertaking at first, but implementing PbD is a positive sum game with both consumers and businesses standing to benefit.