This past April, The Globe and Mail hosted Dr. Cavoukian to talk about her landmark paper Privacy by Design. A short woman, she’s hard to see in a packed, standing room-only venue. However, within a few minutes, she captures her audience as she oozes positive energy and shows great enthusiasm on the subject of privacy.
Dr. Cavoukian is currently executor director of the Privacy & Big Data Institute of Ryerson University in Toronto (Canada). Prior to taking this post in 2014, she was the information and privacy commissioner for the province of Ontario (Canada) and held this position for three consecutive mandates.
During her time as commissioner, she produced hundreds of white papers on the subject of privacy. Her landmark paper, published in 2009 and titled Privacy by Design, was one of the most influential papers in the world on the subject of privacy.
Translated in 37 languages and adopted in countless countries, it is the benchmark guide for governments and organisations on privacy matters.
A pro-business, pro-technology approach
What comes out loud and clear from Dr. Cavoukian’s presentation is that she is pro-business and pro-technology. She is as comfortable talking about biometrics, mobile, or wearable technologies as well as discussing the intricate issues of data security. She enthuses about the potential medical breakthroughs that could come about with the advance of Big Data.
She is certain businesses will thrive all the while being pro-privacy. She notes that the real innovations will materialise when organisations invest an equal measure of talent into embedding personal privacy protection right at product conceptualisation.
The idea behind Privacy by Design is that organisations working to integrate privacy infrastructure at the product concept level create a win-win situation which Dr. Cavoukian refers to a “positive-sum” model.
Privacy is about personal control
At the centre of Dr. Cavoukian’s speech is the concept that control over one’s personal information is key. A person can truly exercise this control by being fully aware of the information potentially gathered (transparency), and given the choice and appropriate tools, to participate or not (opting in/out) in the gathering, use, and/or sharing of their behaviour or use of the product or service.
Privacy by Design: 7 foundational principles
The foundational principles are highlighted below (read the full explanation here):
- Proactive not reactive; preventative not remedial.
- Privacy as the default setting.
- Privacy embedded into design.
- Full functionality – positive-sum, not zero-sum.
- End-to-end security – full lifecycle protection.
- Visibility and transparency – keep it open.
- Respect for user privacy – keep it user-centric.
Integrating Privacy by Design in the latest app
It’s not as easy as it sounds: one needs to consider deadlines, design changes, and development challenges. But if all parties understand and agree this is the better path forward (and it is) then eventually a solution is agreed upon.
Media organisations may find it beneficial to get a mini internal infrastructure to help support the concepts advanced with Privacy by Design. The participants should be dedicated privacy advocates and ideally should represent many areas of the organisation in order to help integrate privacy models in the organisation’s many different endeavours.
Below is the formal privacy structure The Globe and Mail established to help it achieve its privacy goals:
- Chief privacy officer (CPO) – Reporting directly to the publisher, the CPO has overall responsibility for privacy governance, including advising stakeholders (departments), maintaining the privacy programme, responding to data breaches, vendor management, and responding to inquiries and complaints.
- Privacy oversight committee (POC) – Reporting to the CPO, this is a cross-functional oversight committee, with representatives from multiple departments including finance, research and analytics, IT, customer care, advertising, and marketing.
The POC is responsible for planning and overseeing the implementation of privacy management activities. These include tasks such as establishing and maintaining a data inventory, developing best practices and vendor management guidelines, and creating processes around business needs such as incident response and new product development.
- Departmental privacy advocates (PAs) – Supporting the initiatives of the POC, PAs act as departmental liaisons on issues relating to data and privacy. Working with the POC they are responsible for raising awareness of privacy developments within their departments, providing guidance on issues relating to data and privacy, and assisting the POC with privacy documentation, processes, and, in the future, compliance audits.
Departments with privacy advocates are logistics, digital, advertising, customer care, consumer sales, research and analytics, finance, human resources, IT, consumer marketing, and editorial.
As director of customer care, I am both a PA and part of the POC. As a group, we have learned a lot, and we are making constant progress in our approach and ability to operationalise this practice. It takes time to get the proper infrastructure in place and get all the staff trained.
Most important of all: Keep sharing your successes! Our entire industry stands to benefit by adopting privacy-centric philosophies.
For a deeper review of The Globe and Mail’s privacy practices, look for the WAN-IFRA report “Data Privacy: An issue for our time.”