There is a belief that associates privacy simply as a legal requirement, and by which an organization may mistakenly limit its respect for privacy to what is strictly required by law. However, privacy covers many more aspects than that.
Privacy arises as an essential and fundamental right of all individuals, which was reflected in the early international treaties on human rights. Viewed in this way, there is no doubt that privacy is a human and fundamental right for all individuals, representing something inherent that cannot be taken away in any way.
Even when a person accepts the terms and conditions, or the “Privacy Notice” of an organization, agreeing to have their data processed by a third party, their privacy remains intact, and it cannot be understood that this fundamental right has been limited or restricted in any proportion merely by consent.
In the digital world, where every human action leaves a trace and consequently always generates personal data and metadata, maintaining this right to privacy intact can be a challenge for organizations. However, any organization committed to protecting this information can overcome it.
Over time, a solid number of privacy principles have emerged, subsequently reflected in the main international regulations today, aiming to protect this right in the digital world while avoiding limiting the development of new ventures and digital businesses. The objective has always been and continues to be maintaining a balance between commercial relationships and privacy, seeking to establish a habit enshrined in society: the organization can operate but must respect the privacy of its users.
Among these principles is Privacy by Design (PbD), which is reflected, for example, in Article 25 of the General Data Protection Regulation (GDPR) of the European Union. This principle has now become an international standard in the field, and many organizations commit to structuring their policies and internal procedures based on it, even if they are not directly subject to it.
The Privacy by Design (PbD) principle states that organizations should consider privacy from the earliest stages of designing a product or service. It emphasizes the constant limitation of the data to be collected, ensuring that all data is strictly necessary and aligned with the purpose to which the Data Subject has given consent.
It is crucial for this principle to be respected from the outset. Once a authentication product or service is already implemented and, in some cases, widely circulated throughout society, adapting the entire system to truly align with its intended purpose becomes more complex. Additionally, it’s worth noting that such adaptation requires time, resources, and money for the organization, as they must modify something that is already in production and constantly in motion.
The Privacy by Design (PbD) principle is not the only one organizations must consider; there are hundreds of controls and requirements that apply differently to each organization depending on the nature of its entity, the industry in which it operates, its customers, vendors or business partners, the country where the organization is located, as well as the countries in which it operates, the type of personal data it processes, among many other circumstances that can vary the requirements it needs to meet.
Based on all these characteristics, a specific regulation may be applicable to an organization, which, in some cases, can also be partially met by adhering to or complying with an international standard for personal data protection. Just as the European GDPR regulation, mentioned earlier, serves as an international guide, there are also well-known regulations such as California’s (CCPA), the United Kingdom’s (UK GDPR), Brazil’s (LGPD), and Canada’s (PIPEDA), among others, which organizations may consider even if they are not directly subject to them. These regulations contribute to a set of practices that reinforce organizations’ commitment to the privacy of their users’ information.
Concerning international standards and frameworks that lack the nature of regulation, examples include those issued by the National Institute of Standards and Technology (NIST) and the International Organization for Standardization (ISO), which illustrate how organizations can align with compliance. These frameworks serve as a primary guide for fulfilling specific articles or chapters of regulations, showcasing the organization’s overarching commitment to safeguarding specific information. For example, adherence to controls established by The CIS Critical Security Controls can assist the organization in showcasing its security measures and protection of personal data, subsequently meeting regulatory articles related to security.
Organizations face the ongoing challenge of reinventing their personal data protection techniques at the same speed as they adapt their technologies based on market requirements. Those organizations that understand and respect the importance of privacy have trained personnel to help them meet all requirements while simultaneously building a culture with greater responsibility for individuals’ personal data.
A society that comprehends the importance of personal data is the first and fundamental step to ensure that all organizations fulfill their obligations. By continually involving the population more in this area, it creates the need for governments to develop and reinforce regulatory bodies dedicated to this issue, further contributing to the privacy culture.
Blog Author: Uriel Bekerman
Uriel Bekerman, a Sr. Security GRC Analyst at SecureAuth, holds international credentials as a Certified Information Privacy Professional and Manager (CIPP/E & CIPM) and is recognized as a Fellow of Information Privacy (FIP) by the International Association of Privacy Professionals (IAPP). He specializes in formulating Information Security Policies, developing comprehensive Risk and Vulnerability Management Programs, and ensuring compliance with frameworks such as GDPR, EU-US DPF, and SOC.