Dr. Ann Cavoukian, former Privacy Commissioner of Ontario, lays out how businesses can win big with consumer privacy.
This is the first part of a two part series exploring the importance of consumer privacy with Dr. Ann Cavoukian, former Privacy Commissioner of Ontario.
The thing about data privacy for businesses these days is it isn’t private. The consequences of privacy breaches are public and profound.
Take the famous Target data breach of late 2013, when hackers made off with the personal information of 110 million customers. As global privacy expert and former Privacy Commissioner of Ontario, Dr. Ann Cavoukian points out, the consequences were severe. In the wake of the breach, the American CEO resigned, the Canadian president was fired, and Target ultimately left Canada.
Cavoukian, who created the concept of “Privacy by Design” and is one of the world’s leading experts on data privacy, sees strong privacy protection as a source of competitive advantage for businesses—and more.
“Privacy forms the foundation of our freedom,” she says. “You cannot have free and open societies without a solid foundation of privacy, both in terms of business and your personal lives.”
Cavoukian recently sat down with Vertical City to discuss the intersection between data privacy and competitive advantage for businesses today. We’ve adapted her remarks into Ten Commandments for Privacy in Business.
“There is such a trust deficit right now, and it’s growing,” Cavoukian says. “Concerns for privacy in the last two years have just skyrocketed. In all of the public opinion polls, it’s at an all-time high.”
As living in a digital world becomes routine, and as data privacy breaches like Target’s continue to grab headlines, consumers are more concerned than ever about what the businesses they support are doing to protect their data.
“Businesses are coming to understand that they have to offer better privacy to their customers,” says Cavoukian.
But most businesses have a long way to go here—which creates an opportunity for first movers and early adopters.
“Tell your customers the lengths you’re going to to protect their privacy,” says Cavoukian. “Shout it from the rooftops. Don’t keep it to yourself.”
Cavoukian sees many businesses make lofty public commitments to privacy that they don’t back up in their operations.
“There is so much talk out there,” she says. “People are distrustful, for very good reason.”
Another reason for this distrust, she says, is a regulatory landscape that is mostly outdated.
“Most of the privacy laws that are in place were enacted in the early 2000s,” Cavoukian says. “The world has changed. Technology advances at breakneck speed.
“In Canada, we have PEPIDA, which was enacted in 2004. It’s so dated and it has no teeth.
“Unfortunately we don’t have the strength in privacy laws we need.
For businesses, this means that simply following regulations can be a formula for disaster. Your privacy protection measures need to exceed regulatory requirements to manage risk and seize opportunity.
But that’s just half the battle. Top-notch privacy protection only becomes a business advantage with market awareness and trust.
Independent certification from trusted third parties is indispensable for this since it means the market doesn’t need to take a business’ word about the quality of its own practices. The gold standard certification here is “Privacy By Design,” a globally-recognized ISO designation that Cavoukian helped develop. PBD, as it’s sometimes called, has also been enshrined in the European Union’s General Data Protection Regulation.
Vertical City recently became the first digital signage business in Canada to obtain a PBD certification.
The stakes are high for every bit of data a customer gives a business. But not every kind of data is treated with the care it deserves.
“Geolocation data is very important,” Cavoukian says. “When we talk about freedom, if everything you do is being tracked and surveilled, there’s no freedom. It’s a life I wouldn’t want to live, and I’m sure most people wouldn’t either. So we have to be very, very mindful of protecting it.”
Despite this, most geolocation data collected today is done without the consent of the user.
Cavoukian would like to see businesses acquire consent for any identifying geolocation data they collect.
Most businesses and organizations that collect personal data do have some provision in their policies for privacy. But crucially, Cavoukian says, these protections or restrictions require the user to first take action.
Most don’t.
“It’s hard to expect the average layperson to get up to speed about this,” she says. “You can’t place any obligation on individuals to know how to protect their data.”
Instead, Cavoukian would like to see privacy protections be switched to “on” by default.
“I often tell people that privacy isn’t a religion. You want to give away your data? Be my guest—as long as you make the decision,” she says. “It has to be in your hands.”
Making privacy the default setting puts that choice in the hands of each customer. It automatically gives strong protection to all customers’ data, now and in the future. A business cleaving to this principle will use the data it collects only for the primary purpose of that collection. If the business wants to use the data for another purpose, they need to go back to the user and ask for permission.
Cavoukian says this can be an opportunity.
“People love that and companies do too,” she says. “They tell me when they need to go back, they always get the consent, because they’ve built this trusted relationship with customers.”
One of the biggest risks for businesses that collect personal data is re-identification. That’s when malicious actors access data that’s been anonymized or otherwise protected and combine it with other data sources to triangulate the identity of the end user.
The reason this is such a big risk, Cavoukian says, is that most businesses don’t think enough about the implications of sharing the data they collect with third parties.
“Unless the third party has the levels of protection you’ve embedded into your data, you have no idea how the third party is going to use your information. They may expose it in an identifiable maneer, which completely wipes out your privacy claims,” she says. “You have to take strong measures to avoid that. Sharing your data with third parties, unless you’ve gone to great lengths to protect it, can be a huge mistake.”
This concludes part one of our interview with Dr. Cavoukian. Return next week for the conclusion!
To learn more about what Vertical City is doing to protect your privacy and the privacy of all our building residents, check out our brand new privacy page.