Privacy by Design looks a lot like New York
May 22, 2019
The case for Privacy by Design was made and won many years ago and rightly it is the key compliance objective of the GDPR, required to give effect to the desired outcomes within the Data Protection Principles, in a comprehensive manner. However, despite all the talk and the writing, a wide-scale Privacy by Design culture seems no closer now than it was when the ideas were first formulated by privacy thought leaders in Canada, back in the day.
There are many explanations that can be presented for this deficit in Privacy by Design. Some people blame a lack of resources. Some blame a lack of values. Some blame a lack of enforcement actions. And some even blame the public (“if only people voted with their feet instead of tolerating bad practices”), which, I know, misses the whole point of things.
Recently I met a person with different ideas. A significant player in the UK financial services sector, he points to a lack of understanding of the nature of data itself and how data projects are wrongly turned into technology projects.
My friend presented me with two thoughts. First, we need to think about our relationship with data as being akin to an intelligent conversation. Second, the intelligence that we input into a conversation, or gain from a conversation, will differ from conversation to conversation, depending on the parties’ characteristics and what they are seeking to achieve. If we apply these ideas to our thinking about Data Privacy, they will provide a basis for Privacy by Design, at least as far as the ideas of purpose and data minimisation are concerned.
He brought this to life by asking me to consider a conversation about New York.
Having a conversation about New York
Imagine that you are having a conversation about New York. What would you be trying to achieve in that conversation? Perhaps you want to get directions to Central Park from your hotel. Or perhaps you want to know where the best steak house is in Manhattan. Or maybe you want to visit the Statue of Liberty.
All of these conversations about New York will deliver a valid picture of New York, but none of them will provide a complete picture of New York. In fact, in each conversation the majority of New York is overlooked, including the routes of the subway systems, the names of the art galleries and the locations of the ATMs.
Yet none of these omissions matter. The validity of the conversations and the data imparted through them is not undermined. The picture remains accurate and fit for purpose. You do not need to have the whole of New York to have a valid New York. If fact, if you were to receive the whole of New York, you wouldn’t be assisted in your aims.
According to my friend, this is illustrative of the problem with Data Privacy. You may want a piece of New York, but instead you receive everything, or far more than you actually want or need. This failure in the approach is the antithesis of a data-centric approach that delivers on the real needs of the data user. The failure leads to data maximisation, not data minimisation.
So we cannot get to a Privacy by Design approach because the nature of the conversation that we want to have and the intelligence that we are seeking to derive through the conversation isn’t the focus. Instead, something else happens.
The CRM example
One morning a senior business leader awakes with a worry that they do not understand the true value of the sales pipeline. They think they need more Management Information and so a process is started at work. That process involves the technology department and before you know it a CRM deployment is commenced. The functionality is awesome, seemingly boundless. But within a mere six months another unmanageable data swamp has been built, which is even worse than email. Soon after, the CRM becomes a thing of hate and scorn, then it starts to be rejected, then it become a thing of embarrassment, not to be spoken about, and eventually it dies, to replaced by a better, new CRM, with all the lessons learned. Except they are not and so the cycle repeats.
A key part of the problem is that the business leader’s concern was treated as an IT problem, not a data problem. Perhaps if their need for Management Information was analysed properly from a data perspective it might have been understood that it was considerably more modest than the CRM’s functionality was designed to deliver. Maybe they didn’t need a new CRM after all. Maybe all the data was already in place and all that was needed was the creation of new conduits for the conversation. Maybe the business leader only wanted a piece of New York, not the whole thing.
According to my friend, the biggest barrier to Privacy by Design is misconstruing a need for intelligence as a need for a technology project, with the problem being that the default position of technology projects is a maximisation of functionality, not a minimisation of data.
The taking of a technology-first approach, rather than a data-centric approach, has to be addressed if Privacy by Design is be achieved in practice, not just on paper.
Privacy by Design, The Journey to Code and an intelligent focus on data
PwC’s vision for Data Privacy is one where the Data Protection Principles are delivered within data and technology themselves. This must be a logical focus of Privacy by Design, seeing that the catalyst that led to the development of the Principles in the late 1960s and early 1970s was a worry that technology fuelled by personal information would accelerate the growth of propaganda and surveillance, which are the major privacy challenges of our time. If technology and data lead to these outcomes, then they must also provide the solution, because you can’t fix a technology and data problem with paper and organisational solutions alone. Yet paper and organisational processes have been the main focus areas of organisations attempting to address the GDPR, with fixes in technology and data being very distant ambitions, or overlooked all together.
My friend’s perspectives on the challenges of Privacy by Design point to another variable, which is that technology-led approaches to business, rather than data-centric approaches, maximise the privacy problem. That must be correct. Therefore, when we create our Privacy by Design frameworks, we need to take care to ensure that they involve data experts, not just technologists and that we focus on the intelligence that we need from our conversations involving data, not just on the functionality that the technologists can provide.