What is the relationship between information security and privacy by design? Information security is the discipline of protecting valuable data from unauthorised access or destruction. Privacy by design is the idea that one should intentionally keep personal data free from unwanted observation or disruption by planning on how to keep it protected from the outset. They seem similar, after all – there is no privacy (by design or otherwise) without information security. But, they are also different – privacy by design involves more than information security. Let’s explore the overlap between information security and privacy by design.

Why should I care about the relationship between information security and privacy by design?

Embracing privacy by design has significant potential to improve your information security by thinking of it more holistically.

Information security as a discipline has been around for a long time. Privacy by design is comparatively new. Historically, information security often involved a checklist mentality where organisations would rely on an information security framework, such as ISO 27001, NIST or COBIT 5 read with ITIL, and call it a day. The trouble with this approach is that it ignores the principle-based nature of modern data protection legislation.

Privacy by design in contrast is an overarching concept that doesn’t allow for a checklist mentality. Those seeking to apply privacy by design, such as data protection or information officers, privacy counsel or product designers, often misunderstand it and take a checklist approach. They might focus too much on implementing privacy enhancing technologies (PETs). PETs are similar to safeguards from an information security perspective and include technical safeguards such as full-disk encryption and firewalls or organisational safeguards such as phishing awareness training and having an information security policy. While these safeguards are important, privacy by design wants us to break away from the checklist and approach privacy more holistically. The discipline of information security therefore has much to learn from the correct implementation of privacy by design.

How do information security and privacy by design relate to one another?

Information security is a requirement of most data protection laws. It generally involves implementing appropriate technical and organisational measures to meet the requirements of data protection laws and protect the rights of data subjects, taking account of:

  • the state of the art;
  • the cost of implementation;
  • the nature, scope, context, and purposes of processing; and
  • and the risks to people’s rights and freedoms based on the likelihood and severity of the potential harm posed by the processing;

when implementing the measures.

Similarly, privacy by design is a requirement of certain data protection laws. It generally involves implementing appropriate technical and organisational measures to make sure that only personal data which are necessary for each specific purpose of the processing are processed by default, which applies to:

  • the amount of personal data collected;
  • the extent of their processing;
  • the period of their storage; and
  • their accessibility.

By comparing the requirements, we see they’re both based on the idea of appropriate technical and organisational measures – which we call ‘commensurateness’: the idea that the measures should be suitable in the particular circumstances.

Dr Ann Cavoukian, the former Information and Privacy Commissioner for the Canadian province of Ontario, pioneered privacy by design in the ’90s. However, the concept has become more prominent recently thanks to the GDPR including it specifically in Article 25 on, ‘Data protection by design and by default’. This provision speaks to two concepts, namely:

  • privacy by design – the idea that organisations shouldn’t keep personal data private merely because the law requires it – privacy should be a foundation of their business, they should monitor it diligently at all times and they should provide goods and services with privacy in mind from the beginning (not as an afterthought); and
  • privacy by default – the idea that organisations should provide goods and services to customers with the highest level of privacy enabled ‘out of the box’ and give them the power to configure their privacy settings themselves.

As you can see, they are complimentary concepts – and most people include privacy by default in the concept of privacy by design.

What can I do to take advantage of the relationship between information security and privacy by design?

You could take advantage of the relationship between information security and privacy by design by: