Small businesses must do their part to ensure privacy when creating technology products and dealing with customer’s personal information, says Ann Cavoukian, Ontario’s Information and Privacy Commissioner.
The law of the land and the hard work of regulators just can’t keep up with the rapid pace of IT systems anymore, Cavoukian told the crowd at her third annual Privacy by Design conference, held on Jan. 28, International Data Privacy Day. Instead, firms creating IT products and using them for business processes must embed privacy as the default from the beginning. It’s a cause that Cavoukian has championed since conceiving it in the late 1990s.
Related Story: ‘Privacy by Design’ approach gains international recognition
“Small businesses may feel they have limited resources and can’t implement privacy by design,” Cavoukian says. “But the reason you can do this is because you may have less to do if you think in terms of privacy.”
The Commissioner often encounters CEOs who assume they should keep personal information around “just in case” it’s needed, she says. But that’s the wrong approach that creates more risk of leaking that personal information to a third-party. Such a leak could harm company reputation and lead to legal problems.
“If you don’t need to collect it, then don’t do it,” she says. “If you must, then encrypt it or encode it… Keep it user-centric, always go back to the individual.”
Bering Media provides an example of a small business that practices Cavoukian’s privacy creed. The Toronto-based startup connects advertisers with consumers holding specific postal codes, without revealing any personally identifiable information to the advertiser or to Bering Media itself.
It’s done by connecting with Internet service providers (ISPs) and asking them to match ads with the appropriate location, says Michael Ho, vice-president of business development at Bering Media. ISPs already know the specific location of each of their internet protocol (IP) addresses in order to manage their network.
“We basically allow ISPs to act like the post office,” he says. “We allow the ad server to push a message to the right geography without disclosing where the person lives.”
All the data is correlated in real-time and Bering Media doesn’t store any personally identifiable information. Once a consumer opts-out of the system, they will never be included again.
“You’re removed from all current matches and all future matching,” Ho says. “It’s as if you never even existed in our system.”
Bering Media took the initiative to develop a technology that embedded privacy with its technology’s double-blind architecture, Cavoukian says.
“No one has access to that information,” she says. “Not the advertiser, not the people holding the geo-location data. It’s a win-win, total positive sum model.”
Cavoukian’s Privacy by Design concept has been picking up steam lately. The international Data Protection and Privacy Commissioners annual conference in Jerusalem passed a resolution recognizing it as an “essential component to fundamental privacy protection,” according to the commissioner’s office. It’s one step to technologies around the world being designed with privacy in mind.
|Geo-location: A technological method to determine an individual’s location to varying degrees of specificity, such as a country, region, or postal code. Usually done with GPS coordinates or IP address locations.|
Privacy by Design is important for young, technology-based companies to consider, says Ilse Treurnicht, CEO of MaRS Discovery District. The business incubator has made the concept one of its main advisory planks when consulting with small firms.
These small, tech-driven outfits are “gazelle companies” that only get “one shot” at success, she says. Meanwhile, to do business with larger players, the little guys must look like they’re going to survive.
“Building privacy in the original product design allows them not to have to back track,” Treurnicht says. “It sends a signal that you’re intent on growing big, just like your customer.”
Internal regulators with Hewlett-Packard Co. and IBM Corp. also spoke at the event, and discussed how privacy by design was being implemented within their corporations.
Seven principles of Privacy by Design
1. Proactive – prevent privacy-invasive events before they happen.
2. By default – personal data are automatically protected in any given IT system or business practice.
3. Embedded – not an add-on, but integrated into the design and architecture of IT systems.
4. Positive-sum – a “win-win” scenario is achieved rather than having a trade off of security over privacy.
5. Lifecycle protection – at the end of the process, all the data are securely destroyed in a timely fashion.
6. Visibility / Transparency – a technology or business practices is operating according to stated promises and objectives, subject to independent verification.
7. Respect for users – interests of the individual are uppermost.