Let’s talk about digital identity with Ann Cavoukian, Executive Director of the Global Privacy and Security by Design Centre.

In our series opener, Privacy by Design creator, Ann Cavoukian joins Oscar to discuss Privacy by Design – the 7 foundational principles, the issues that it aims to solve and how Privacy by Design has evolved and is being used in today’s tech products.

[Transcript below]

“You want to prevent the privacy harms from arising, not just resolve them after the fact, you want to prevent them.”

Ann CavoukianDr. Ann Cavoukian is recognised as one of the world’s leading privacy experts. Dr. Cavoukian served an unprecedented three terms as the Information & Privacy Commissioner of Ontario, Canada. There she created Privacy by Design, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices, thereby achieving the strongest protection possible. In 2010, International Privacy Regulators unanimously passed a Resolution recognising Privacy by Design as an International Standard. Since then, PbD has been translated into 40 languages! In 2018, PbD was included in a sweeping new law in the EU: the General Data Protection Regulation.

Dr. Cavoukian is now the Executive Director of the Global Privacy & Security by Design Centre. She is also a Senior Fellow of the Ted Rogers Leadership Centre at Ryerson University, and a Faculty Fellow of the Center for Law, Science & Innovation at the Sandra Day O’Connor College of Law at Arizona State University.

Connect with Ann on LinkedIn.

Privacy by Design has become an ISO Standard, listen to Episode 89 Privacy by Design: Road to ISO 31700 to find out more.

We’ll be continuing this conversation on Twitter using #LTADI – join us @ubisecure!

Go to @Ubisecure on YouTube to watch the video transcript for episode 73.

Let's Talk About Digital Identity
Let's Talk About Digital Identity

The podcast connecting identity and business. Each episode features an in-depth conversation with an identity management leader, focusing on industry hot topics and stories. Join Oscar Santolalla and his special guests as they discuss what’s current and what’s next for digital identity. Produced by Ubisecure.


Podcast transcript

Let’s Talk About Digital Identity, the podcast connecting identity and business. I am your host, Oscar Santolalla.

Oscar Santolalla: Hello and welcome to join us a new episode of Let’s Talk About Digital Identity. And you might have heard about Privacy by Design before all the influence that has had in products and regulations, et cetera. And today, we’ll hear about that from its own creator. So, our guest today is Dr. Ann Cavoukian. She is recognised as one of the world’s leading privacy experts.

Dr. Cavoukian served an unprecedented three terms as the Information and Privacy Commissioner of Ontario, Canada. There she created Privacy by Design, a framework that seeks to proactively embed privacy into the design specifications of information technologies, network infrastructure, and business practices, thereby achieving the strongest protection possible. Today, Dr. Cavoukian is the Executive Director of the Global Privacy and Security by Design Centre. Good morning.

Dr. Ann Cavoukian: Good morning, Oscar.

Oscar: Good morning. And it’s fantastic having the pleasure of having this conversation with you.

Ann: Thank you. It’s my pleasure.

Oscar: Please tell us shortly how, yeah, your journey to this word of privacy and digital identity?

Ann: Well, you know, it’s interesting. When I became Privacy Commissioner, for the first term in ’97, I think, I joined the office and it was full of brilliant lawyers who wanted to apply the law to data breach or privacy infraction and get a good resolution, which is great. But I wanted something earlier than that. I wanted something that was proactive. That by design could be embedded into the operations that you have, bake it into the code, make it a presence, so that you could prevent the privacy harms from arising. I wanted a model of proactive protection. And it took a while to sell this to my staff, to my lawyers. But I literally created Privacy by Design at my kitchen table over three nights. It was all about being proactive. That’s how it came about.

Oscar: OK, super interesting. If you can tell us, what is that concept for the ones who are not so completely familiar.

Ann: So, Privacy by Design is all about being proactive. You want to prevent the privacy harms from arising, not just resolve them after the fact, you want to prevent them. And in order to do that, you have to embed the necessary measures into the design of your operations. And privacy, as the default, the second foundational principles of the seven is probably the most important one.

What it says to your customers, or your citizens is we don’t expect you to go and search through all the terms of service and the legalese in the privacy policy for the opt out clause that says, “Do not use my personal information for any purpose other than the primary purpose I’ve consented to.” No, no, that takes hours to do. We don’t expect you to do that. We will give you privacy as the default setting. Automatically, we will give you privacy, you don’t have to ask for it.

Oscar: Yeah, exactly why it will be ideal if all products that we started using are like that. If you can tell us a bit of all the– well, the problems, some of the problems, I know you have many, some of the problems that Privacy by Design aims to solve.

Ann: At the beginning, the initial problem was that lawyers viewed it not as a legal structure, which is not. It’s trying to be very adaptive to the code, bake it into the code. I always say you got to work with whatever code you have to your operations, that’s where you have to focus. So that was quite different for a lot of people who take a very legalistic approach to it.

But the other thing is, you have to convince your CEO, your executive, your board of directors that this is a valuable pursuit so that they will devote time and attention to allowing you to create Privacy by Design and embedding it in your operations. Now, it’s always to your benefit. Companies that have become certified for Privacy by Design, have come back to me and said they love it. They love it, because it shows their customers the lengths they’re going to, to protect their privacy. So, it builds trust, it builds loyalty and attracts new opportunity.

So, it works very well once you’ve got it going. But people have to be committed to it. And I always say to companies, “Do you have a data map?” And they go, “Huh?” See what data map does. Often companies want to give privacy to their customers and at the first instance when they enter into the company, purchase something, a service or whatever, they get their consent, their positive consent for the primary purpose of the data collection. But the problems arise after that. Often that personal information flows throughout the office to various departments that may be using it in ways that were never consented to.

So, unless you have a data map that flows the direction that data takes within your company, you’re not going to know that. So, I always tell companies get a data map, ensure that you can, you know, like in a diagram almost, indicate what the data flow is. And then you’ll see if you need to obtain some additional consent for secondary uses of the data that were never contemplated.

Oscar: Yeah, indeed, you mentioned data map and it’s a term that I rarely hear actually, rarely read, I think it’s…

Ann: I think I created it, but I don’t know I always talk about it. And then people go, “Yeah, that’s a good idea.”

Oscar: Yeah, indeed. What I mean is that I’m sure not many CEOs, as you mentioned, or people who are responsible for billing to service is on their top of their mind so yeah.

Ann: Not top on mind. That’s for sure.

Oscar: If you could tell us briefly the seven foundational principles of Privacy by Design.

Ann: Sure. The first one prevent the harms. You want to be proactive so that you could prevent the harms from arising. It’s very, very clear. The second one is privacy as the default setting. And that’s– I talked about that quite a bit. It’s absolutely critical, in fact, it’s considered to be so important. When they enacted the GDPR in the European Union, the General Data Protection Regulation, they included not only my Privacy by Design, but specifically privacy as the default setting as well. So that’s very important.

The third one embedded in design is absolutely critical. If it’s not baked into the code into your operations, it’s going to be overlooked. The fourth one you have to have, what I always say full functionality. Get rid of the zero-sum mindset of privacy versus security, or privacy versus data utility. It can’t be either, or, win, lose. It has to be win-win, privacy and data utility. You make a positive sum, and you get multiple positive gains, privacy and security always intertwined.

And the next one talking about security. While the term privacy subsumes a much broader set of protections and security alone, in this day and age of daily hacking and phishing, if you don’t have a strong foundation of security from end to end, with full lifecycle protection, you’re not going to have any privacy. So, start with a solid foundation of security throughout your entire organisation. Give individuals access to their own data.

I always say to companies and governments, you may have custody and control of someone’s data, but it doesn’t belong to you, it belongs to the data subject. So, give them the right of access that they have, allow them to gain access to personal information you have on them. And companies actually have come back to me, companies that are certified for Privacy by Design, and they say, “We love this. We love this principle. Because once we give customers access to their own data, they come back to us and say – No, no, that’s no longer the case. That was true about me two years ago, here’s what’s going on now.” So, they correct the information. They increase the accuracy of the information we hold. And it increases the quality of the data we have. So, they love it.

And the last principle, keep it user centric. When you keep it focused on the user, all of this flows out. Because it should all be around the individual, when it’s personal information you’re dealing with. Because personal information is about identifiable individuals. So, you have to keep it focused on the user, and what they permit, what they don’t permit, things of that nature. So that’s it. Seven foundational principles by design. To me, it’s like motherhood. But to most people, it takes a while to digest.

Oscar: Yeah, absolutely, pretty solid principle. And thank you for reminding those seven principles that I guess– I think most of us have read at least a few times. But thank you for the reminder. And I would like to know, because it’s been a while since you created that, has that paradigm really evolved changed until now since published or how do you say?

Ann: It has grown enormously in terms of where it’s being followed. It’s followed in 165 countries all around the world. All new laws seem to reflect Privacy by Design. Of course, the GDPR, you know, and the European Union. But other new laws like Brazil enacted a new law last year, they included Privacy by Design in it. And the US is going to be enacting a federal law, there’s Privacy by Design in it. So increasingly, new laws are including Privacy by Design. And also, it’s been translated into 40 languages, 40 languages all over the world .

Oscar: Yeah, that’s a great achievement having 40 languages already so it’s spreading and spreading as it should be, of course. You have mentioned I think couple of times already, Certification of Privacy by Design, so who does that?

Ann: So how that works is if you think you’re doing Privacy by Design in your company, and you want to get certified, you come to me, send me an email. And with your consent, I partner with KPMG, with your consent, I send KPMG to you to review your information holdings in your operations, to confirm that you are in effect doing Privacy by Design. Usually, they have a few suggestions to make it better. And once they give me a report that you are indeed following Privacy by Design, then I issue a certification and you’re certified. That way, you’re golden.

I always tell people, if you’re certified with Privacy by Design, put it on your website, tell the whole world you’re doing this, because it builds such trust. Customers and companies that have been certified have come back to me and said, “We have the trust that has waned over the years. It’s now returning. Customers appreciate the lengths we’re going to, to protect their privacy. We retain the customers and the loyalty that customers we have. But it’s attracting new customers, attracts new quality, new information to us in terms of what their interests are. So, it’s growing our operations.” They love it.

Oscar: Yeah. Excellent. So, it’s yourself, your organisation who does the certification.

Ann: With KPMG. KPMG does the actual going in and examining everything.

Oscar: OK. Excellent. Good to know. Absolutely. If you can tell us also how Privacy by Design is being put in practice besides, of course, certification. Tell us a bit how it’s put in practice in today’s technology products, if you can– tell example if you can.

Ann: Sure. In smart cities, for example, what do smart cities do? They collect a lot of information, everywhere. So my first advice to smart cities, is the minute you collect any personal information from a vehicle that’s driving down the street, or people walking down the street, or an apartment building or whatever, the first thing you do is you de-identify the data. You strip any personal identifiers from the data because that can be used in ways that were never intended, certainly hasn’t been consented to.

But once you have the personal identifiers removed, then it’s just someone’s walking down the street, but you don’t know who that is. Someone’s driving this car to this location, you don’t know who. That’s what’s critical. You don’t need the personal identifiers linked to the data, you just want to get a sense of what’s happening in the city, and how this movement flowing and things of that nature. So that’s one example.

Oscar: Smart cities. Also, in hardware physical products it’s also Privacy by Design?

Ann: Certainly, in terms of the computers that we have, in the mobile devices that we have smartphones, et cetera, Privacy by Design is essential. And the only company that I always point to is Apple. Apple is amazing. They have a – why of course I have an iPhone, because they have end to end encryption. The data are completely encrypted. So, I may be talking to you, you and I can exchange data, but no third parties can gain access to that data in an unauthorised manner. So, encryption is critical. And especially on mobile devices that collect so much personal information, phone calls, emails, texts, et cetera. You must have very strong encryption from end to end, and Apple, and the iPhone is the only company that I know that does that all the time.

Oscar: OK. Yeah, absolutely, smart cities, you mentioned, well, Apple as the mobile phones and we use all the time mobile applications, web services, different types of products. How, for instance, imagine that I suggested to start using a new product, let’s say a new mobile application. How do I know if that product has been designed with Privacy by Design? Is there a way to know in advance should I buy this product?

Ann: Well, unless they’re certified, you won’t know. But I always say before you use any new product or service, always ask the questions. What will you be doing with my personal information? I’m giving you my personal identifiable data for this purpose and this purpose alone; can you confirm that that’s the only use you will subject it to? Is there any chance of unauthorised third parties gaining access to my data, in which case I’m not interested, I’m out. So, you have to always post the questions before you start a new product or service. It’s critical.

Oscar: Yeah, but that’s post your question to yourself, or you’d say you have to contact the – to them.

Ann: You’ve got to ask it to them, what you’re dealing with , always. And I always do that. But you’d be amazed at the wonderful answers you get. Once you show, you reveal your interest in privacy, they come bxack with, “Oh, we can do this. We can do this. We can do that.” They just take it for granted. You don’t care. But once you show that you care deeply about privacy, they increase your protection dramatically.

Oscar: Oh, that’s great to hear. Actually, I should do it more often, definitely.

Ann: I do it all the time as you can imagine.

Oscar: All right. OK, I will follow your advice. Absolutely. One final question for you, Ann, fantastic conversation with you. For all business leaders who are listening to us now, what is the one actionable idea that they should write on their agendas today?

Ann: Trust. You want to gain the trust of your customers. Right now, trust is fleeting. It has diminished dramatically. The concern for privacy has increased dramatically in the last two years. Every public opinion poll in the last few years, Pew Internet Research et cetera, has put in concern for privacy at an all-time high. 90% of people indicated they’re concerned about their privacy. 92% are concerned about loss of control over their personal information.

So, if you’re in the management of your company, you want to gain trust. And you do that, by communicating with your customers. You tell them the lengths you’re going to, to protect their privacy, that you have great respect for them. And you will alert them if you have any additional needs for additional information, and you come back to them and obtain their consent. This builds trust like no other and it will build their business greatly.

Oscar: Trust. Just put in the word trust on the agendas, I think it’s… definitely.

Ann: And the Germans have a wonderful term for this. I always say privacy equals control, personal control over the use and disclosure of your personal information. The Germans have a term for this called informational self-determination. It should be the individual who determines the fate of his or her personal information. So, I love that term. It’s a good one to keep in mind.

Oscar: It is, self-determination, absolutely. Well, thank you very much, Ann, for this very interesting conversation. Would you please tell us, for people who like to learn more about the work you’re doing or get in touch with you, what are the best ways for that?

Ann: They can go to my website, GPS, G P as in Paul, S as in Sam, by design centre, all one word, gpsbydesigncentre, spelled C-E-N-T-R-E.com, gpsbydesigncentre.com, they’ll find everything.

Oscar: Absolutely, we will do. Fantastic. Again, thanks a lot, Ann, for this interview and all the best.

Ann: It’s my pleasure. Have a great day.

Oscar: Have a nice day. Bye-bye.

Thanks for listening to this episode of Let’s Talk About Digital Identity produced by Ubisecure. Stay up to date with episode at ubisecure.com/podcast or join us on Twitter @ubisecure and use the #LTADI. Until next time.

[End of transcript]