woman hiding behind a scarf
PHOTO: Joanna Nix

Privacy by design is at the heart of the European Union’s forthcoming General Data Protection Regulation (GDPR), and for good reason. When the GDPR goes into effect in May, it will provide a set of standardized data protection laws across all EU member countries and give EU citizens and residents control over their personal data.

Likewise, privacy by design (PbD) aims to protect people’s data and give customers control over their data by encouraging businesses to embrace a set of principles that guide them to take data privacy into account when designing all of their digital offerings. But while the GDPR will no doubt shake up how brands interact with customers, embracing the principles of privacy by design can give businesses a competitive advantage. 

Early PbD evangelist Ann Cavoukian was prescient in recognizing the competitive advantage PbD would offer in the digital age when she published her white paper, “Privacy by Design: The Seven Foundational Principles,” while serving as the information and privacy commissioner of Ontario in 2009.

Although the main thrust for the increased prioritization of PbD will likely be GDPR compliance — possible fines of 4 percent of annual global revenue or €20 million will have a galvanizing effect, after all — it shouldn’t take regulatory threats to convince companies to bake PbD into their digital offerings

Here are a few reasons why.

Related Article: Bake Privacy Into Your Projects From the Start

Customers Are Always Right — Especially About Their Data

Customers are growing more aware of how their personal data is being used, and they’re demanding more control of it as a result.

They are increasingly wary of intrusions by brands and are taking steps to counter those intrusions. Ad blocking is at an all-time high, and creepy marketing messages continue to set off waves of disgust on social media. Even Facebook can’t avoid a hit to its brand value when it is perceived to be spying on its account holders.

Companies that cross the fine line that separates customization from creepiness risk losing business, so it pays to come to an agreement with your customers about how you will communicate with them. If you don’t realize now what Cavoukian asserted in 2009 — that individual users “have the greatest vested interest in the management of their own personal data” — then your business will soon find itself in peril, regardless of whether you cater to EU residents or not.

Related Article: Marketers Are Missing the Point of the GDPR — and the Opportunity

Take Only What You Need

Cavoukian put forth the concept of “data minimization” — the practice of collecting personally identifiable information (PII) for purposes that are “clear, limited and relevant to the circumstances” — and data minimization is now a core tenet of GDPR. But it shouldn’t take a landmark law to get businesses to embrace that idea. It’s just common sense. Between the continued use of weak passwords by end users and the increasing cunning of hackers, not even the most diligent companies can guarantee 100 percent protection from breaches. Should any consumer data fall into the wrong hands, the damage could be contained a bit if only parts of customer profiles are surrendered, rather than entire digital identities.

Related Article: Navigating the Complex Worlds of Personal Data

PbD Also Means Security by Design

The earliest iterations of PbD required the incorporation of end-to-end security throughout the entire life cycle of data. Or as Cavoukian wrote, “Without strong security, there can be no privacy.” That means PII must be secure at every step. Does data travel securely through your network? Is data encrypted at all times? If EU customers do exercise their right to be forgotten under the GDPR, will you be able to dispose of their data completely and securely?

Interestingly enough, years ago Cavoukian also formally challenged brands to keep up with industry best practices. Do you talk to your peers? Are you a member of recognized information security bodies, or do you at least attend their events? Have you achieved the highest levels of certification put forth by trusted independent organizations, such as the Cloud Security Alliance (CSA) and the International Organization for Standardization (ISO)? These measures should be routine for companies, but they clearly haven’t been — they certainly weren’t a decade ago, when PbD was a dream of techies and a small group of policymakers, and they aren’t today, when legislation is required to force organizations to meet security standards.

The Long-Term Costs of Bolting on Privacy

So why hasn’t PbD been treated as a common-sense approach to data management, given its important role in providing better customer service and stronger security? It could be that bands and marketing technology vendors saw PbD’s privacy and security measures as a luxury, at best. More likely, companies generally felt that it was hard to justify the additional money and time-to-market they would have incurred if they incorporated PbD principles into the design of products and services from the start. In hindsight, this decision could prove costlier in the long run.

Like almost everything else in tech, “bolting” PbD on as opposed to “baking it in” is generally penny wise and pound foolish. Security, privacy, customer service and profitability should never have been seen as trade-offs vis-à-vis one another. Years ago, Cavoukian espoused a “positive-sum” outlook that treated each of those elements as equally important. She railed against “false dichotomies” that pitted privacy against security, or security against a friction-free experience.

As she stated, “It is possible, and far more desirable, to have both.”