Dr. Ann Cavoukian is Executive Director of the Privacy and Big Data Institute at Ryerson University in Toronto. She also served three terms as the Information and Privacy Commissioner of Ontario. While there, she created Privacy by Design, a framework that seeks to proactively embed privacy into the design specifications of information technologies, networked infrastructure and business practices. PbD has been translated into 38 languages and has been promoted by the FTC, the European Commission and other major governing bodies.

UnboundID: How does Privacy by Design work in action?

Cavoukian: PbD is a prevention model whereby proactively embedding privacy measures into operations and technologies, companies can avoid data breaches and the damage they bring to a brand along with the financial penalties. You first identify the risks in your business, and then apply the appropriate measures. Following this model can also give a company competitive advantage, because you are building trust with customers.

The Ontario Lottery and Gaming Corporation runs casinos, and they have a self-excluded program where if you are a gambling addict, you can sign up to have a casino employee walk you out the door if you show up to play. Yet the casinos didn’t know who these people were when they walked in, so they came up with the idea to embed facial recognition technology in their security cameras to identify those people. Yet that kind of program would probably not be popular with all the other gamblers, from a privacy perspective. So they developed a solution based on biometric encryption, where if there’s no immediate match with the image database of people in the program, no facial data is captured. Even if a match is made, the facial data is erased after the person is identified and escorted off the property, all with their positive consent.

UnboundID: What are the most important steps that companies can take today to be better stewards of customer data?

Cavoukian: You’ve got to build trust with customers through transparency and respect for privacy. If you collect data on a customer to complete a transaction and then you want to use their information for a secondary purpose, you must go back and ask for permission. Explain the benefits of sharing to the customer. In a trusted relationship, the answer from the customer will very often be “yes.” I really think we will see positive changes in regard to corporate practices, now that the European Commission has approved a new and much stronger privacy law, the General Data Protection Regulation. The GDPR will enforce significant financial penalties for companies that store or use personal data of EU citizens without permission. And for the first time, this new privacy law contains the actual language of Privacy by Design and Data Protection by Design.

UnboundID: Can you discuss how identity management tools and practices will evolve to help?

Cavoukian: Identity management is very important to handle consumer data. Companies should be implementing two-factor authentication. I think they also need to be very careful about sharing the personal information that they’ve collected. You may have the best tools but if you then share that information with unauthorized third parties, that’s where problems start. If you strongly de-identify the data, then you can use it and preserve its value without incurring risk to the individuals.

UnboundID: How do Canadians view consumer privacy differently, compared with Americans?

Cavoukian: I don’t know that there is a huge difference in attitudes, but in Canada we have a system of independent regulators both federally and in each province. This allows consumers to file complaints, and they have a resource for awareness and educational information. In the United States, there is the FTC, which is a great organization, but in a country with over 350 million people, the FTC can’t provide enough resources. We have a dozen commissioners for 35 million people in Canada. So the FTC has to focus on the really bad actors. Americans really value liberty, and you can’t have liberty without privacy. Ever since Edward Snowden’s revelations, the privacy culture has changed. Six out of 10 Americans distrust both private and public sector entities. Customers are asking a lot more questions and companies are becoming more sensitized to those concerns. By embedding privacy into design, you can get ahead of the problem and prevent the harms from arising. By doing so, your business will gain a competitive advantage.

Download the eBook to learn what the experts say about meeting customer expectations in the digital era.