Some large platforms have been pushing this confidence to the brink by breaking our trust in them. Platforms like Google and Facebook are being hauled over the coals about their lack of respect for our privacy. After a series of privacy violations including the Cambridge Analytica scandal, Facebook has offered to take note and be more cognizant of our privacy. Zuckerberg stating in a recent address that “I believe the future is private”.

The problem is, that once trust is lost, confidence is hard to build back up. This article will look at some practical ways that you can make sure trust is baked into your solution by using a Privacy by Design approach.

Does Privacy Really Matter?

A recent Frost and Sullivan report for CA Technologies looked at the attitude towards privacy by consumers. The report found that 48 percent of consumers would walk away from a service that allowed their personal data to be breached.

The report also found a worrying statistic: Less than half of consumers would provide their personal data in exchange for digital services. And over half of those polled, have serious distrust issues with organizations in general; assuming they would sell their personal data to third parties without consent.

Views and attitudes such as these result in the wheels of commerce slowing down. And few want that to happen.

The saying “the customer is always right” still holds weight in the world of digital data as much as real-world data.

Privacy = Trust = Loyalty

So how do we build user-centric systems that are respectful to the user’s data, but which allow the relationship between consumer and service to blossom?

We have to begin with the understanding that privacy, trust, and loyalty are all intrinsically linked. This is not some new and revolutionary way of thinking. It is part of our humanity. In terms of digital acceptance of this, research from 2007, “Customer Loyalty Programs and Privacy Concerns” shows the importance of upholding customer privacy. The very word ‘loyalty program’ sums up the point of the exercise – building a loyal and trusted relationship with your customer. The 2007 research concluded that customers were making the decision to not take part in online loyalty programs if they had privacy concerns.

In 2012, the level of privacy violation of loyalty services was brought into sharp relief. In a case involving a Target loyalty scheme, a teenage girl’s pregnancy was revealed to her father when coupons for “baby clothes and cribs” appeared in the mail.

There are many folktales around privacy. People will often say that privacy isn’t important in the online world. The statistics and people’s outcry when violations occur, beg to differ. The UK’s industry spokes body, the CBI, found that 90 percent of customers will actively choose a company that demonstrates they are data respectful and take privacy seriously.

And what if a company does not respect data privacy? Privitar found that 78 percent of customers feel “violated” if a company does not protect their privacy.

This tripartite union of privacy, trust, and loyalty is a strong one and it works for all stakeholders; if you respect my data, I will feel confident in you and loyalty follows. The icing on the cake is that as well as creating a trusted service that woos customers you also have to put security measures in place to achieve this. This then creates a more secure environment, cutting the risk of a data breach and helping with compliance. What’s not to like?

5 Ways to Design in Privacy

Now to the nitty-gritty of how to create trusted solutions that have Privacy by Design (PbD) baked in. Below, I have identified some areas that you can look at. These may/may not be pertinent to your environment. But if you process any personal data at all, the likelihood is that you can apply them at various junctures in the design of your service.

Data minimization

Start at the very beginning. Do you actually need to capture a particular piece(s) of data?

“Data relevancy” is a much-underused design remit. Make sure that the data you collect is relevant to the service you offer. It is so tempting to just use a pre-created form offered in a template. Think of it like this. The more data you collect, the greater a burden of protection falls on your organization. Do you really want that overhead? Use a policy of data minimization as a default position, include the following in that policy:

  1. Only collect personal data you absolutely need to perform the service;
  2. Do not continue to collect data once you have what you need; and,
  3. Regularly carry out data risk assessments on the data you hold; if you don’t need any data, securely delete it.

User-centric design and consent:

User-centric design is about giving the user choice in how their data is used. It starts at the point of data capture and continues throughout the lifetime these data are in your system and any third-party systems. Looking at consent first, it can be a complicated and nuanced area.

When taking consent, be as granular as possible in its capture and execution. For example, if you capture and process multiple personal data used across multiple service options, show this in clear text and take consent on a per use basis.

Do not do what Facebook and Google did which landed them in court – “forced consent”. Privacy campaign group nyob, took both companies to court post-GDPR enactment, overusing ‘forced consent’. Nyob argued they were out of compliance, both removing access to a service if the user chose not to give full consent to use data across the board.

User-centric data management also continues after you have collected consent to share these data. Consent management platforms, usually in the guise of mobile apps, are beginning to appear that are under the user’s control. These apps will allow users to switch data sharing rights off and on for any connected given platform. But you can take the control back in-house if you provide consent control in user account management component.

A simple feature could be to provide an option to make changes to user data and to delete an account, both allow you to meet certain GDPR criteria too. If you are worried about users changing their data, set up verification rules to manage this too. The technology exists to help achieve this.

iot security

Anything connected to the internet can be hacked

Secure account recovery

Account recovery can be a target area in a system for cybercriminals after personal data. This was exemplified when Twitter exposed the personal data of over 10,000 user’s through an insecure password recovery mechanism. This is not an unusual situation by any means. Crypto-platform, Coinbase, had a recent issue with an attempt at circumventing their recovery system. Make sure that the design for your account recovery reflects the importance you place on your customer’s data and make sure it is secure.

UI/UX aspects of good privacy

Having a user experience and a corresponding interface that is easy to use is essential.

There is little point in having a back-end that ticks the boxes for data consent and security if the front end is so complicated the user can’t understand what to do. Good privacy is a right for all. When you design your user experience (UX) and the corresponding interface (UI) make sure it is built for your expected demographic.

De-identification techniques

An ultimate way of managing data privacy is to use de-identification. This is not always possible, of course, but if it is, this mechanism should be considered. De-identification techniques cover a range of options. A simple option is to obfuscate data when shared.

You may have seen this when credit card numbers show only the last four digits on a screen. Another example is when requesting the age of someone, ask for age over or age under rather than actual date-of-birth.

De-identification also includes techniques that may be more difficult to implement:

  • Anonymization: This is the highest level of de-identification and therefore difficult to achieve. It also requires specialist technologies or techniques. Anonymization is most often applied to health data as this is highly sensitive information. If health data is stored in Cloud repositories is usually needs to be accessible to multiple teams as part of medical research. Anonymization of health data is becoming increasingly expected. It allows privacy to be maintained whilst allowing access to essential information for medical research.
  • Pseudonymization: Has been defined in the GDPR under Article 4. It describes pseudonymization as the “processing of personal data in such a manner that the personal data can no longer be attributed to a specific data subject without the use of additional information, provided that such additional information is kept separately”. Pseudonymization is used to remove the links that exist between the data and the individual.

Augmenting Privacy with Technology

Privacy is augmented through technology solutions. You may not be able to easily de-identify a user’s data, but you can protect it.

Encryption: The use of encryption should be considered mandatory in any system that processes personal data. This is while that data is at rest (e.g. in a database) and while in transit (e.g. using SSL/TLS across internet connections).  

public wifi

VPN gives you a solid layer of online security

VPN technology. VPN technology encrypts data so you can use websites that are not secure (e.g. HTTPS) and your data will be protected. Even if you do use a secure site, a VPN will prevent your activity from being tracked. In addition, any communication such as email will be protected too if you transmit using a VPN connection.

The poet Robert Frost once said that “Good fences make good neighbors”. I’d like to piggy-back off the great poet and say that “Good Privacy by Design makes good relationships”. If you make the effort to design your services using a PbD approach you will reap rewards across the spectrum.

Not only will customers appreciate your efforts to respect their personal data, but you will, as part of the exercise, secure it too. This leads to a decreased risk of data breaches and improved compliance. Adding in design fundamentals as explored above creates a best of breed service that puts privacy and thus trust center stage.

Secure your digital life with Surfshark

Only $1.99/mo. 30-day money-back guarantee with every plan