Personal privacy eroding as a consequence of technological development is a premise widely accepted today—and it is not entirely inaccurate. The insidious thing about the privacy threat to the digital world is that one may not even be aware that their privacy has been violated. The notion that individuals have an ethical duty to protect their own privacy implies two things: people have a duty to do the impossible and personal responsibility for one’s own privacy precludes government and enterprise responsibility for privacy protection.
There are practical limits as to how effectively people can protect their own privacy. Many people lack knowledge of the technologies and data-gathering practices that are now commonplace. Some people cannot avoid cultural and economic pressures to engage in transactions that result in information disclosures. Individuals have a limited ability to negotiate privacy-related terms and conditions with organizations and government entities.
Although lawmakers have been drafting policies to help ensure that personal privacy is being protected, many of these policies allow organizations to collect, use and disclose data as long as they provide transparency about these practices. Therefore, there is a need for more effective privacy laws that rely less on empowering consumers and more on protecting them. To be effective, privacy policy should protect the naïve, the uncertain and the vulnerable. It should be sufficiently flexible to evolve with the emerging and unpredictable complexities of the information age.
Organizations rely on the insights they get from customer data to sharpen their strategy and enhance the customer experience. However, with access to that data comes an obligation to protect it. The concept of privacy by design advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation. Although this extremely powerful concept is not new—it was developed in the 90s to address the ever-growing and systemic effects of information and communication technologies and large-scale networked data systems—it is unfortunate that it has not become mainstream. The term means data protection through technology design. Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated in the technology when created. It is a simple and effective approach, proactively embedding privacy into the design and operation of technology systems, infrastructure and business practices.
And there are many benefits. Organizations can differentiate themselves by taking deliberate, positive measures to protect privacy. A demonstrated ability to secure and protect digital data, both for an organization and its customers, is increasingly being recognized as a business imperative that yields a competitive advantage. Privacy by design goes well beyond accepted fair information practices and privacy standards, virtually assuring regulatory compliance no matter where an organization operates.
The benefits of the digital world come at a cost, but it is in the best interest of people, organizations and lawmakers to consciously and continuously ensure that the benefits outweigh the costs by collectively working together.
Editor’s note: For further insights on this topic, read the authors’ recent Journal article, “Stop Using the Privacy Paradox as an Excuse to Avoid Privacy by Design,” ISACA Journal, volume 5 2022.
