Rethinking privacy in tech products
The exponential adoption of technology products that require individuals’ personal and financial data has made data privacy a critical topic for businesses and governments.
In 2018, a key regulation, commonly known as the GDPR (or General Data Protection Regulation) was introduced in Europe to standardize European citizens’ personal data protection, and to give individuals some control of their data.
This governmental focus on data privacy wasn’t new, and it wasn’t just happening in Europe. In 2013, Singapore introduced the Personal Data Protection Act (PDPA). In 2017, Australia amended the 1988 Privacy Act with the Notifiable Data Breach scheme, and introduced the Consumer Data Right (CDR) in the same year.
These reactions by governments globally show that data privacy is a crucial issue in our societies.
Data privacy: growing costs and expectations
For businesses and other non-government organisations, a privacy breach could mean significant reputational damage, massive customer exits and hefty regulatory fines. Some recent high-profile fines for data breaches include the US Federal Trade Commission (FTC)’s US$5billion fine to Facebook for the Cambridge Analytica scandal in 2019. In 2020, the UK’s Information Commissioner’s Office (ICO) fined British Airways £20million (US$27 million) for a data breach which affected 400,000 customers. These fines reflect the seriousness that many governments now place on data privacy and personal data protection.
Faced with huge fines, potential customer backlash and bad publicity, organizations who collect personal data must have internal robust privacy and data protection controls. Their service providers and technology vendors must also be equally robust in their data protection approaches. Many organisations use vendor risk assessment processes (or third-party risk management approaches) to ensure that vendors appropriately ensure the security and privacy of personal data.
Expectations for cyber security vendors who collect, process and store customers’ personal and other sensitive data are very high. However, no matter how rigorous third-party data privacy assessments are, it remains risky for any organisation to allow several different vendors access to their sensitive customer data.
Maintaining your Privacy Footprint
Both profit-making and non-profit organisations now have to keep a tight grip on their Privacy Footprint: the extent to which their sensitive data is held or shared with different products and vendors. The larger the Privacy Footprint an organisation has, the bigger the risk.
When an organisation adopts and implements a new technology product, the product either increases the organisation’s Privacy Footprint, or maintains it. If the new product requires access to the organisation’s sensitive customer data, it increases the organisation’s Privacy Footprint. If the new product does not interact in any way with the host organisation’s sensitive customer data, then the product maintains the Privacy Footprint.
The problem of data privacy will only get bigger because most online services, apps or subscriptions require a user’s personal and financial data. Ultimately, many of us have to give away this data to hundreds of online service providers, trusting that it will be kept secure.
For the service provider, it’s a great challenge to keep the data secure and ensure that only authorized parties can access it for the right reasons. To complicate things, many organisations have to share this data with their own various technology vendors. Ultimately, a piece of data that may have been given to one service provider by a user often ends up being shared with several others. This increases the number of sources in which the data can be compromised, and puts immense pressure on organisations that ask for this data from their customers.
With all these privacy complications — and associated carnage if anything goes wrong – it’s time new products pay attention to how they affect their host organizations’ Privacy Footprints.
Privacy by design
At Aiculus, we believe that organisations will soon prioritise products that were designed to be privacy conscious, particularly cyber security products. This is also why the Aiculus API security product uses a privacy-compliant architecture and deployment model.
The objective of these two product parameters is purely to ensure that Aiculus does not increase our customers’ Privacy Footprint. We are currently conducting multiple trials in this area and look forward to sharing further insights as these are discovered.