Overview
Protecting private information has vital and obvious implications for everyday life, and the only way companies can successfully do this is to create a culture of privacy. The only solution—the only way to change people’s behavior—is to embed privacy in the very fabric of the organization. That is why Privacy by Design, a decades-old application design, and development strategy, is now being discussed as a foundational strategy for entire organizations. The original goal of Privacy by Design was to develop best practices that ensured application developers were building privacy into their products from the ground up. Even if concern for customer or employee privacy was not the highest priority, there was always profit—it is very expensive to re-engineer privacy into a product following a failure. Today, these best practices are more important than ever. Increasing amounts of data have created an ever-expanding attack surface, and complex new regulations demand a foundational approach to privacy. In fact, Article 25 of the GDPR is titled “Data Protection & Privacy by Design and by Default.” Organizations face an ever-growing number of attack vectors related to privacy, including the internet of things (IoT), government and business data over-collection, and unread mobile app permissions such as allowing scanner apps to keep and sell the data they scan.
This course is not about the GDPR, though it can certainly be used as a process for data protection & privacy by design and default (Article 25 of the regulation). Most probably, you are already enrolled in my bestseller “Build EU GDPR from the scratch course” which goes for GDPR from all perspectives. This course is not meant to comply with any specific regulation, though the use of the correct privacy-by-design process herein will help organizations comply with many regulations. This course is about how to build better processes, products, and services that consider individuals’ privacy interests as a design requirement. It is about how to build things that people can trust.
There are four sections I have created. Section 2 provides introductory remarks, including an introduction to Ann Cavoukian’s 7 Foundational Principles of Privacy by Design, a short history of regulatory adoption, and past challenges that privacy-by-design practitioners have faced. Given its 10-year history in the privacy professionals’ community, many readers may already be familiar with Cavoukian’s principles. This section also contains something most privacy professionals, outside academia, may not be aware of. Here I discuss what I feel is the impetus for why companies must build privacy into their processes, products, and services and not rely on individuals’ self-help to protect their own privacy.
For those not familiar with the Solove Taxonomy of Privacy or the Hoepman Strategies, most probably most of you, Section 3 is a must. The two frameworks form the basis for identifying and mitigating privacy risks in the privacy model developed in that section. Section 4 describes how to analyze the privacy model built in Section 3.
In the analysis section, a risk model is built using the Factor Analysis of Information Risk with a focus on individual risks over organizational risks and tweaks in the terms and definitions for privacy beyond information security. Designers may never need to determine privacy risk explicitly but understanding the factors that influence privacy risk provides a deeper understanding of why the process is built the way it is. The last section, Section 5, details the design procedure while using the other sections as reference
Instructor
Roland is a cybersecurity, privacy, and cloud leader and strategist with a demonstrated experience in running cybersecurity & cloud business units, practices, divisions from zero to maturity with year over year quality growth and quota over-achievement (projects of more >50 million euro/year).
Roland has the following certifications: CISSP, CIPM See More information
Roland is a cybersecurity, privacy, and cloud leader and strategist with a demonstrated experience in running cybersecurity & cloud business units, practices, divisions from zero to maturity with year over year quality growth and quota over-achievement (projects of more >50 million euro/year).
Roland has the following certifications: CISSP, CIPM, CIPT, CIPP/E, CRISC, CISM, CCSK v4, CCSP, LPT, CEH, ISO 27001LA, TOGAF.