Privacy by Design: Why it is important
First of all, when we think about the concept of privacy by design, we need to bear in mind that it comprehends the incorporation of mechanisms to ensure the privacy and security of personal data to all development processes.
Though, to understand this concept better, we need to go back a little and understand what privacy is.
The modern idea of privacy rights is older than we think. It was first composed by an article published by Harvard Law Review in 1890, defending that privacy is “the right to reserved personal information and the right to life ”
Also considering that privacy, in times of digital transformation, would be the owner’s right to keep or share any data and information to whoever he pleases, without being forced to do so.
Consecutively to this thought, we can find the definition and position of many entities and legislation about privacy, it also reflects not only on the United Nations Commission on Human Rights but also on the Brazilian Federal Constitution of 1988.
In both cases, they have mentioned privacy as an inalienable right and non-transferable citizen, that is, we can say that this subject is embedded in many areas that discuss human condition and ethics.
Privacy by Design and GDPR
The term Privacy by Design is not so recent, it was first approached in the ’90s by Dra. Ann Cavoukian .
Such a concept basically argues that privacy security should not be based solely on organizations’ compliance with legislation, that is, they should have privacy security as a basic mode of operations.
The term Privacy by Design as we know was popularized more recently, precisely when discussions about GDPR took place.
The European General Data Protection Act, which came into force in May 2018, has the objective of unifying the privacy legislation of the European Community.
In its Article 25 (Data protection by design and by default, GDPR addresses the need for companies to implement appropriate data protection measures.
However, in 1995 the European Parliament had already created Directive 95/46 / EC, which has the purpose of protecting the processing and movement of personal data.
Privacy by Design and LGPD (Brazilian normative)
As we can see, privacy security is an ongoing discussion that is already mature.
However, this theme has taken on increasing proportions and is being used as a basis for defining legislation in several countries.
In Europe, as we have seen, the GDPR has emerged, to which companies seeking to operate in the European Union or serve their citizens must seek to fit in.
In Brazil, the LGPD (General Data Protection law) will come into force from August 2020.
However, in the case of LGPD, there is no direct quotation about the use of privacy by design in the text, but in article 46 the Law stipulates that technical, security and administrative measures should be adopted to ensure users’ data security against unauthorized access.
Even though it has become known as “privacy by design”, in GDPR the concept is formed by two parts that need to be understood separately: “Privacy by Design” and “Privacy by Default”.
Therefore, to better understand each of the concepts, we will address them separately below.
What is Privacy by Design?
Following Dr. Ann’s statement, we can say that a good definition of the concept would be that during the process of creating and developing a product or service, companies should take as a basic premise the protection of their users’ privacy and stored data, and this requirement must be met at all stages of the process.
Therefore, we realize that the concept of privacy should be approached as the main focus and should be carefully observed at all times, not only in the final stages of development.
In a way, this concern already exists as a standard when it comes to safe development processes, where we seek to foster the idea of developing a safe product from the beginning of the developmental track.
What is Privacy by Default?
The idea of privacy by default is also a widespread concept that argues that services and applications should be delivered to the user with maximum privacy permissions. This ensures that the information owner defines the best way to share their data and or information.
However, what we can see over time is that large technology companies have done just the opposite: they give the user the responsibility of configuring their applications or services to make them more restrictive from time to time a minimum restriction setup.
7 Fundamentals of Privacy by Design
The basic purpose of design privacy is to give information owners the power to control the degree of exposure and sharing of their data or not.
What happened is that companies that already use this model gain a competitive advantage over those that have not yet implemented the concept.
If your business was not concerned about the privacy of user data as a priority, that is okay: this can be achieved by following a few basic principles, which will be covered below.
1. Proactive, not reactive; Prevent, not remediate
If we could put this concept based on just a single term, it would be anticipation.
The first principle aims to present the concept of anticipation of privacy breach events. Therefore, the solution developer must predict which factors and threats may affect their users’ privacy while using their applications.
This means that the developer must be proactive and not reactive to problems that may happen.
If we correlate development phases, we can say that it is in the requirement stage that we will begin our search for the first ideas on how to protect data.
Ditto, keep in mind that within SDLC (systems development lifecycle) thinking must always be proactive, never reactive.
2. Privacy By Default
The essential point of this principle is to ensure maximum security for users’ data and information, even if they do nothing to increase the security of the application.
So this principle brings back the concept of privacy by default that we have already commented on.
That is, the delivery of the service or software is made with the highest level of restriction as possible, ensuring that user information and / or data is already exposed as little as possible from the earliest moments of use.
This is clearer when we read the document principles:
“No action is required on the part of the individual to protect their privacy – it is built into the system by default.”
3. Privacy embedded in the design
The security of user privacy should be an elemental part of the solution. That is, even if required by Laws and Normative, it should not be thought only when required. The application or service must be built with security as a prerequisite.
The result is that privacy security becomes an essential component, a “core” functionality that must be born with the application, without being embedded later.
While privacy is a critical design point and often a legal requirement, it should be seen as an added function of the service or software.
This means that the functions that guarantee user privacy should never be implemented in such a way as an obstacle to the solution operation.
Whenever there is a functionality that conflicts with privacy, this conflict must be resolved so that privacy is not compromised.
5. Security end-to-end
Even if the initial idea is to build a solution, service or application based on security in the development process, this thought must also exist in relation to the data lifecycle.
Based on data and information control, we need to ensure that data is protected throughout the data lifecycle.
Then we can understand that the cycle begins the moment the user enters his data and it goes through processing, storage, and transmission.
Therefore, privacy must be protected throughout the existence of the information.
6. Visibility and Transparency
This section addresses the requirement that when thinking about building a solution, ensuring transparency with data collection, use, and storage, and ensuring privacy, should be one of the central points of the development process.
In this respect, both the European regulations – GDPR – and the Brazilian General Data Protection Law – LGPD – are quite clear in pointing out that first the data owner’s permission is required to use it.
From this permission, it is still necessary to identify the reason for data collection and what will be done with them, and even in case of a possible leak.
Therefore, data collection, processing, and storage should be documented in a fully transparent way to the data owner.
7. Respect for Privacy Owners
Last but not least, we have the principle that reinforces the concept of data ownership.
By this principle, the application or service must guarantee to the user the property right, reserving to them the decision on stored information.
Hereby we can also see a strong harmony between GDPR and LGPD because in both cases the need for consent from the data owner for its use is clear.
The user must also be guaranteed the right to correct and update the information contained in this data.
Summing up, we can understand that the user must always have complete control over their data.
What have we concluded?
We can say that the requirements seen today in legislation are not new in thought, as they were created much earlier.
We can imagine that these laws are a good evolution of the concept, becoming now more rigid and present in the development and compliance processes of companies.
In general, these approaches give the user power over a good that, for lack of clearer laws, had been lost for some time.
For Application Security professionals, there is the lesson and reinforcement of the need to increasingly improve application delivery with the highest level of security possible.
This, of course, always observing the best practices and being aligned with regulatory needs.
We need to understand that AppSec is not just code, there are other elements involved in this process. And, above all, that this culture must be fostered and scattered throughout the company.