Goodbye to the Facebook Era, and Hello To The World of Privacy
Goodbye to the Facebook Era, and Hello To The World of Privacy
Go on, admit it … although your company says it complies with GDPR, it isn’t really fully GDPR compliant! Do you always store personal information away from non-personal information? Do you encrypt all personally identifiable information and related data? Do you only store and process pseudonyms for your users? Is it impossible to resolve pseudonyms to actual identifiers? Does your organisation have detailed procedures in place to report on a data breach?
If the answer to one or more of these is “I don’t quite know”, then read on. Otherwise, you can finish reading this article, as you are a perfect data governor.
To machines, we are just a bunch of 1’s and 0s
Okay, now that we have lost the perfect data governor -who doesn’t exist, by the way — we can read on. Like it or not, we live in a flawed data world. We have allowed the protocols and methods that were developed in the 1980s to grow up and scale across the planet. Unfortunately, this is a world that is fit for machines and has little respect for the privacy of us — humans. For them — machines — we are just a number that needs to be linked to something else, and then make a decision on. Machines often have little regard and care about you, and they are just programmed to complete their tasks. For them, your preference for the type of coffee you like is just a bunch of 1’s and 0’s. Machines have no boundaries unless the constrain them. This is the world we live in … allow all, and bar some things. But for user privacy, we perhaps need to flip this.
When “ownership”, “consent”, and “governance” become one
And as our system have scaled and where there has been little in the way of inherent privacy, and little in the way of citizen control of their data. The concepts of “ownership”, “consent”, and “governance” have been merged together, with companies taking over control of these things.
For many companies, the rights of the user just gets in the way of them using all this lovely data … “What type of iPhone does Bob have, perhaps he needs a new one?”, “Where does Alice buy her coffee, perhaps she would like some tea for a change?”. We are now in the Wild West of Data, and where companies basically harvest our data for their own benefits, and then push us long T&Cs for services which they promote as “being free”.
And so our data is often harvested with little in the way of informing us, and the increasing number of data breaches show that even large companies fail to protect the data of their customers. The CEOs of Equifax and TalkTalk, for example, had no idea if their company were actually encrypting data:
This is rather like the CEO not knowing if smoke detectors have been fitted into their buildings … “Oh, the smoke detectors were for someone else to look after, so I just didn’t bother about them!”. Developers, too, have often little care for the privacy of their users and see privacy as a bolt-on, and something that just gets in the way of writing great software.
The Times They Are A Changin’
But NIST aims to call time on those companies and developers who care little about the privacy of their users and have drafted an outline of a privacy framework [here]:
Within it they define the core functions of identity, protect, control, inform and respond, and which then split into categories:
These functions should allow organisations to understand the risks involved and set in place improved procedures:
- Identity. This function defines the business context around identity, and the way in which identities are processed within the organisation, along with legal and regulatory frameworks. These can be used to inform risk practices within an organisation. Expected categories include: Asset; Business Environment; Governance; Risk Assessment; and Risk Management Strategy.
- Protect. These are the mechanisms which protect sensitive data, including pseudo-anonymity and privacy-enhancing methods. At this stage we see a strong usage of cryptography to hide and protect the core data. Expected categories include: Identity Management and Access Control; Awareness and Training; Data Security; and De-identification.
- Control. This defines the mechanisms in which the organisation controls access to sensitive data, including around the policies defined. This might include the rights to create, read, update, and delete data elements. Expected categorises include: Data Management; Data Quality; Default Configurations; and User Preferences.
- Inform. This defines the procedures that organisations will take to inform their individuals about the processes which are used within the processing of their data. Expected categories include: User Notices; Data Processing Reporting; and Algorithmic Transparency.
- Respond. This defines the procedures involved in reporting a data breach, including how users will be informed. Expected categories include: Redress and Breach Notification.
NIST now need your help in defining these functions, so go and feed into them, but please go and review your organisation’s methods for identity; protect; control; inform; and respond.
Conclusions
Our data are us. We are data … [link]
Would you want a personal photograph of you and your family to be distributed around your bank? Would you want people in a call centre to listen to what you say in front of your TV?
If the answer is “No!”, go get your company to sign-up to the NIST privacy framework, and contribute to its development … and then implement the results!
Trust is going to be one of the greatest selling points for any company in the future, so go get the citizen on your side.