'Privacy by Design' Implementation Tips episode artwork

EPISODE · Feb 24, 2020

'Privacy by Design' Implementation Tips

from Info Risk Today Podcast · host InfoRiskToday.com

Implementing the concept of "privacy design" requires a series of critical steps, says Heikki Tolvanen, chief legal engineer at PrivacyAnt, a Finland-based privacy consulting firm, who offers insights on mistakes to avoid.

Episode metadata supplied by the publisher feed · Published Feb 24, 2020

Implementing the concept of "privacy design" requires a series of critical steps, says Heikki Tolvanen, chief legal engineer at PrivacyAnt, a Finland-based privacy consulting firm, who offers insights on mistakes to avoid.

PodParley-generated summary based on available episode metadata and transcript content.

NOW PLAYING

'Privacy by Design' Implementation Tips

0:00 0:00
of MATCHES

TRANSCRIPT · AUTO-GENERATED

Hi, this is Supernago Swami, Associate Editor with Information Security Media Group. I have the pleasure of speaking with Heikit Olgunin, Chief Legal Engineer at Privacy End. We will be speaking about privacy by design and what goes into achieving this. Welcome, Heikit Olgunin, Chief Legal Engineer at Privacy End.

So, we have been talking about privacy by design from a long time. It's not a new concept. And as mentioned by you, there is a requirement in the GDPR as well called Data Protection by Design. So, I'm not sure if people completely understand this.

When a company wants to have a privacy by design, how exactly can this be done if you could walk us through the process? It's a good question about the process, but when you are designing something new, whether it's your new IT system or a process or a product that you are designing, that involves personal data processing, you have to implement or ensure that the privacy is implemented in the design phase when you are designing such a product or service. So, you take care of the privacy requirements and one of the privacy risks that you must identify and then mitigate in the design phase. Which of course, it's easier and then a lot cheaper when you are designing something rather than afterwards fixing something.

But the process will go that usually you have some kind of project model or like you are describing whatever you are designing. You just have to keep in mind all the different privacy requirements. For example, under the GDPR, we have a lot of different requirements applying to, for example, to IT systems or processes. So, you must have a list of those and then when you are designing something, you must ensure that those, all of those are implemented in whatever you are designing.

Not just the basic principles such as transparency or data security or purpose limitation, but pretty much all the requirements. So, what all goes into that? So, I'm sure there are various aspects under privacy by design. Like, anonymization is one aspect.

That's a small part of privacy by design, as you said. There are other aspects as well. So, what are the various aspects that need to be taken into account when you want to have this concept? There are many aspects.

Like, anonymization depends on the, like when you start designing something, you must keep in mind, like, what is the purpose of processing? Like, why do you need to process personal data? And when you identify whether it's one purpose or multiple purposes, then you start designing from the purposes perspective. Some purposes you might be able to achieve with anonymized data.

And then we have this data minimization principle in the GDPR. So, if you are able to achieve something with anonymized data, you shouldn't be processing personal data at all. And then you kind of think how to anonymize the data and so forth. But then there are a lot of other things such as data subject rights.

For example, you must be able to provide a copy of someone's personal data. And so, before you are putting any personal data to a new cloud service or whatever you are designing, you must ensure that you are capable of fulfilling those data subject rights before you actually put any personal data to such system. That is, again, one example that you have to keep in mind. So, usually you have a list of requirements that you must kind of satisfy.

And then in the design phase, you just keep those in mind, similarly to any business requirements that you might have in your, or you will have when you are designing some new process or service or ID systems. There are usually several business purposes, but you also need to have those privacy requirements as purposes that you then achieve. And this is something that you could call privacy by design. So, you design privacy requirements into your new product or service.

Okay. So, I'll pick one aspect under this when you were saying, when you were talking about anonymization of data. And I was having the discussion with you the other day. And you had said that often in order to analyze data, we tend to send these data to third parties or ID systems.

But organizations do not really carry enough due diligence or do not have enough due diligence in place to check how these parties handle this data. So, do you think when we talk about privacy by design, these are aspects that one needs to take into account? And if yes, do you think this is happening actually in companies, they are taking into account these aspects? What we have seen, I think it's one of the hardest concepts, the privacy by design.

But if you get it right, then you are on a good track to achieve GDPR compliance or privacy compliance. But it's really difficult because there's small details what matter. And regarding the anonymization, of course, if, for example, the GDPR, it doesn't apply when you are processing anonymous data. So, you could disclose anonymous data to third parties, and there will be no kind of GDPR obligations that you must take into account.

But the key question will be that have you anonymized data properly, whether such data is really or truly anonymous under the GDPR because the concept or definition of personal data is quite wide and quite broad and applies to different kinds of data sets. And, for example, the IP address, we had Court of Justice in the EU ruled that dynamic IP addresses can be personal data as well because there are internet service providers who can provide you with additional information and then you can link the IP address to a natural person. So, the definition goes really, really wide. And therefore, usually, when we advise companies when they talk about anonymized data, they are actually talking about only two dynamized data, which is still personal data under the GDPR.

So, the problem, biggest problem is that how do you anonymize data properly and what is the business value of kind of properly anonymized data anyways? Because then we are talking about some statistics, usually doesn't kind of fulfill their business purpose anymore. So, the anonymization as a concept is a quite tricky concept as well, like the personal data definition and so forth. Okay, so when you said that we have to ensure or we don't know that it's truly anonymized, what exactly do you mean by that?

So, what is truly anonymization of data? What would you say? Well, it's data that you can kind of never link to any natural person anymore. So, you have removed all the identifiers and all the IDs that kind of separates even a single user from other users.

So, you have this personal data, then you have this to minimize data that where you have removed the direct identifiers, but then you are having some additional information somewhere that with that you can still identify a person if needed. But then the anonymized data is something that you can kind of never, or you should be never able to identify the person anymore. But HIKI's, do you think it is a practical thing to achieve? Because it looks very, it sounds very euphemistic.

Yeah, I think achieving it totally anonymized data, it's really difficult and it's not very practical. But I don't see that as a problem because even if you have personal data or pseudonomized data, you can still like GDPR or any other privacy law doesn't prohibit you from processing it. You just then need to keep in mind all the different requirements. For example, then data subject rights or data minimization principle or transparency and so forth.

So, the problem is not achieving the anonymization completely, but then if you don't achieve it, then you just need to pay attention to different privacy requirements. And it could be something other than GDPR as well. So, now we have this ECPA or we could have a new privacy law in every US state in the future. And then it depends like who's data and what data you are processing, that's what requirements you must satisfy all the time.

If it's privacy by design kind of method or process you, that is something that if you do it correctly, then you achieve the compliance and avoid any kind of compliance and privacy risks and privacy risks. Okay. And how does one track the entire cycle of data? What kind of questions if I'm a company and I am handling privacy for my company?

So, what kind of questions should I be asking to my third parties? From third parties, that's a good question. It depends like what kind of service you are getting from your third parties. And again, under the GDPR, we have different roles.

For example, if your company is so-called data controller and if you disclose data to third party, you want to know whether the recipient is operating as a so-called data processor, processing data only on behalf of your company or whether they are processing it for their own purposes as a data controller. And then we have based on those roles, we have a different set of requirements and questions that you may want to ask. But generally, if you know where, what is the data location on the country level and on IT system or IT asset level? So, to what kind of databases or IT systems the data is going and where are those systems located and who can access the data from which part of the world?

Because for example, as a data controller, you need to have this privacy node is available for your customers or employees or anyone whose data you are processing. And one small part of that privacy node is you must tell the data subjects that are you transferring data outside the EA area. So, if you are transferring data from Finland to US, you must notify your data subjects. And therefore, it's really crucial to know when you disclose data to your data processors or third parties to know the exact location.

And then again, it depends like if you use cloud service, there could be Amazon behind it or there could be several different IT assets. So, you must know that after you disclose the data, are you still capable of fulfilling all the data subjects requests? For example, can you delete all the data if someone asks, or can you provide the copy back to the data subject of all the data or can you restrict the processing? So, there's like million different requirements that you must keep in mind.

And it depends about the role. That's the first thing you may want to identify. What is the role of the third party? Because if they process the data for their own purposes, then you must identify what is the legal basis for you to disclose the data or sell or delete to someone else.

And you may want to do a written agreement regarding that and so forth. And if your third party is a data processor, then you have to do a written agreement regarding the data processing. And there you have to specify what data is being processed and how it's being processed and how it can be disclosed to fourth parties or subcontractors and so forth. So, it's not as easy as it sounds.

No, no, no, no, not at all. And that's why we have this data flow of roles. So, if we use data or third parties in our business, so we start growing a map that we disclose data to someone and then we want to know on the IT asset level, that's how it is being processed, to what IT systems or cloud services or subcontractors it goes. And then we start from there.

So, first we identify the facts. We describe the process and then after we have identified the facts, then we know all the applicable requirements and then we can assess whether the third party is still capable of fulfilling or in compliance with all the requirements. And then we know whether we can even use that third party or not. Okay, interesting.

Thanks a lot. Thank you for the wonderful conversation. Yeah, thank you. You were listening to Heke Devolvinin for IceIngenasia.

This is Subpara Goswami. Thank you for listening.

That Hoarder: Overcome Compulsive Hoarding That Hoarder Hoarding disorder is stigmatised and people who hoard feel vast amounts of shame. This podcast began life as an audio diary, an anonymous outlet for somebody with this weird condition. That Hoarder speaks about her experiences living with compulsive hoarding, she interviews therapists, academics, researchers, children of hoarders, professional organisers and influencers, and she shares insight and tips for others with the problem. Listened to by people who hoard as well as those who love them and those who work with them, Overcome Compulsive Hoarding with That Hoarder aims to shatter the stigma, share the truth and speak openly and honestly to improve lives. The Small Business Startup School – Business Notes | Financial Literacy | Retail Psychology – For Professionals & Entrepreneurs The Small Business Startup School Inc. Starting or buying a small business? While personal circumstances may vary, business patterns remain timeless. On The Small Business Startup School, we explore strategies, insights, and practical solutions to help entrepreneurs confidently navigate their journey.Hosted by Ola Williams—a retail entrepreneur, fintech founder, and financial coach with over two decades of experience—this podcast marries financial awareness and retail psychology with optimism to deliver actionable takeaways.Join us to learn, grow, and connect as we uncover the keys to business success.Let’s continue to learn together and be encouraged to keep on connecting! DIOSA. Carolina Sanper This podcast is a sacred space created by Carolina Sanper where you connect with your inner wisdom and embody your magnetic feminine power.It is the realization that the mystical realm is where you plant the seeds of your desired reality.It is a portal to your true essence: awareness, presence, and receiving with ease. Welcome home, DIOSA. 🖤 XXX Tech by SOVRYN Dr. Brian Sovryn The crossroads between technology, sensuality, and metaphysics - and the longest running anarchist podcast in the world! Brought to you by Dr. Brian Sovryn.

Frequently Asked Questions

How long is this episode of Info Risk Today Podcast?

Episode duration information is not available.

When was this Info Risk Today Podcast episode published?

This episode was published on February 24, 2020.

What is this episode about?

Implementing the concept of "privacy design" requires a series of critical steps, says Heikki Tolvanen, chief legal engineer at PrivacyAnt, a Finland-based privacy consulting firm, who offers insights on mistakes to avoid.

Can I download this Info Risk Today Podcast episode?

Yes, you can download this episode by clicking the download button on the episode player, or subscribe to the podcast in your preferred podcast app for automatic downloads.
URL copied to clipboard!