The Future of Privacy Compliance - Part 3 of 3
Updated: Nov 22, 2019
In October 2019, Gartner analysts published a report entitled “Move to Contextual Privacy in Digital Society” (please see footnote 1) which observes that:
“Privacy becomes so context-dependent that every single interaction requires its own data selection and attribute set to continue to successfully protect the privacy value.”
In our opinion, privacy cannot be defined, measured and enforced without context. In the modern regulations, such context is established by defining a robust, lawful, data-minimized purpose with the above Unit of Work components.
Purpose provides the contextual basis for performing legitimate Impact Assessments, enforcing Purpose Limitation, generating Records of Processing Activities and delivering the full extent of a data subject’s Personal Rights including proportionality, fairness and subsidiarity.
The Gartner report continues by stating that:
“Privacy must become an inherent part of product development and of the
implementation of such products in their environments.”
At first glance, we believe that this quote seems to align with the principles of Privacy by Design, the approach to systems engineering initially developed by Toronto’s Privacy Commissioner Ann Cavoukian in 2009 and which is incorporated into the text of the GDPR, LGPD and other regulations. Privacy by Design principles are typically considered during the design and construction of a specific application or business process.
In a contextual privacy ecosystem, privacy compliance is not a nice-to-have concept, it is globally enforced, and enforcement is built directly into infrastructure services. Unlike conventional Privacy by Design, enforcement is application neutral and consistently applied across all participating applications and services, within and even across multiple organisations.
But true data protection compliance is still very rare. How can organisations that can’t fully comply today manage to adopt a contextual privacy ecosystem?
This is more than possible; it’s already happening. What’s unrealistic? Enforcing GDPR compliance using a fragmented application-specific approach. For comprehensive compliance to be practical, affordable and sustainable, it will need to occur at the infrastructure services layer, enabling any number of organisations, business processes and applications to leverage privacy-as-a-service and participate in a contextual privacy ecosystem.
Products and solutions will gain purpose-limited and audited access into the contextual privacy ecosystem via APIs, where regulatory constraints will be transparently enforced via microservices. Data subjects will be represented in this system via pseudonymous Contextual Digital Identities (CDI), a virtualized, minimized and purpose-limited view of the data subject that appears to each data controller as its own identity management system.
The CDI concept will also support more pseudonymous engagement with data subjects, enabling necessary business proofs to be obtained at the context-level without privacy intrusions at the person-level.
The contextual privacy ecosystem will enable a business unit or product team to manage their own personal data processing autonomy, while still ensuring common, consistent and enforced governance and control over all the personal information that is exposed by data controllers during daily operations.
Organizations and teams greatly value context since they know that it can be a force-multiplier in the value of their products and services, customer satisfaction, customer retention, cross selling - and generally engender comfort and trust in a personal experience.
This approach will also realize a secondary, but highly valuable effect of maintaining and improving data quality – also required by the GDPR. Virtualized Contextual Digital Identities are derived from a unique data subject - data is not duplicated, rather it is repurposed and continually improved. Each element of personal data collected and processed from each contextual identity will therefore include data quality metadata that indicates when personal data has been verified as accurate according to a common set of verification standards.
In a contextual privacy ecosystem, personal data will therefore be instantly recognized as verified or unverified. Data controllers will be able immediately evaluate whether specific data is of appropriate quality for their requirements, and if not, be able to take steps to transform and elevate its quality. Once improved, the higher quality will then be immediately reflected wherever the data has been deployed.
The contextual privacy ecosystem will also support “cross-cutting tenancy” – multiple tenants of the ecosystem (different departments, business units or completely separate companies) that can maintain GDPR-safe data relationships with a shared data subject, leveraging a largely standardized, high-quality and repurposeable data set.
Cross-cutting tenancy relationships will be based upon Contextual Digital Identities. Each data subject will be represented to a data controller via these virtualized profiles.
The controller will define its applications, products and services and any purposes that require personal data. The virtualized CDI profile will then present the data controller with access to the personal data that has been scoped and minimized according to those legitimate purpose definitions.
According to Gartner, “to protect privacy, the organization can provide randomized identity workflow streams or customer identity and access management (CIAM) programs that provide an ID for every relation between the customer and various organizations. Deliberate safeguards must prevent those identities from merging, unless that is the specific desire of the customer. Alternatively, identity as a service (IDaaS) and pseudonymization vendors may offer a similar setup, where the responsibility to prevent collusion is outsourced. This is called “identity brokering.” The below Broker or Provide Randomized Contextual Identities graphic outlines this relationship.
Thanks to cross-cutting tenancy, shared data subjects and contextual identities, all the participants in the ecosystem will transparently realize dramatic improvements in data quality and governance. This approach is the opposite of today’s fragmented, siloed, duplicated and poorly-managed data holdings.
While the data subject is entitled a fully transparent view of personal data, data controllers will no longer reach for "360-degree" views and instead focus on exploiting maximum relevant context for each purpose and across all purposes collectively that affect the data subject. "Context" will be more valuable than "content" and far more privacy-preserving.
Purpose-Based Access Control
Another essential application-neutral service in the contextual privacy ecosystem will be Purpose-Based Access Control (PBAC), which can enforce purpose limitation and thereby achieve a huge improvement to sustainable privacy compliance in daily operations.
PBAC will contribute to both security and context. For example, only authorised callers will gain access to personal data on a per-purpose basis; and only the minimized subset of data allowed for authorised and lawful purposes can be released. This will transparently deliver comprehensive compliance with legal requirements, for example with GDPR Article 30 Records of Processing Activities.
Using PBAC, most non-compliant data processing will be prevented – transparently and without explicit effort by developers and staff. PBAC will enable the GDPR Unit of Work to be consistently monitored, measured and enforced on a per-transaction basis, independent of the application or data source.
To summarise this series of short posts:
Purpose definition is essential to compliance. If your compliance programme doesn’t emphasise purpose definition, it is not achieving true compliance.
Discovering and mapping personal data does not produce actual privacy compliance. Keeping discovered data without also defining purpose is a GDPR infringement with potentially serious consequences.
Purpose is the key to establishing context, without which there can be no measurable data controller privacy compliance or data subject privacy. Purpose definition is needed to contextualize the assembly of information, perform risk assessment, establish minimised personal data scope and ensure the full extent of data subject rights.
The contextual privacy ecosystem will meet all the relevant privacy compliance goals for Privacy by Design, in an application neutral way. It will be enforced at the infrastructure level rather than within each application. The ecosystem will permit multiple different business units and even different companies to gain cross-cutting access to the personal data of unique data subjects in a way that will be both compliance-safe and quality-verified.
Purpose-Based Access Control (PBAC) will provide compliance enforcement infrastructure to the contextual privacy ecosystem. Data controllers will realize sustainable compliance for their applications, products and services, through enforcement of lawful purpose limitation, transparently as part of daily operations, down to the transaction level in real-time. Records of Processing will be both contextual and granular, enabling immediate and comprehensive defences against claims of non-compliance.
Footnote 1: Gartner “Move to Contextual Privacy in Digital Society,” Bart Willemsen, Frank Buytendijk, 3 October 2019