Privacy by Design is a concept in systems engineering that has been around for many years, but was recently codified into law by GDPR in Europe. Essentially it means that organizations must consider and implement privacy measures and privacy enhancing technology (PETs), directly into their systems and tech from the design phase.
Privacy by Default builds on Privacy by Design by expanding beyond just technology and into the entire organization. The organization must collect the minimum amount of data necessary to perform a specific task, must only use the data for the specified task, and must set rules on the storage and accessibility of the data. GDPR provides some guidance, such as Privacy Impact Assessments and Data Privacy Agreements with counter-parties, to help companies adjust to this new rule. However, the concept of Privacy by Design and by Default may be a fundamental technical or even philosophic shift for many companies.
The cost of Privacy
Data used to feel free. Really, it used to be free, if you accept that storage and access costs are fairly negligible. For the past decade, companies have been collecting as much data as possible without an express purpose, hoping to find a use for it eventually. Companies treated the data as their property, not the property of the person from whom they were collecting it. The fields of ‘Big Data,’ ‘Data Science,’ and ‘Machine Learning’ have risen to prominence in part because of this trend. And while these fields provide actionable insight to many companies, the days of collecting data for the sake of it are over.
Data now has a cost.
And not just the cost of hosting bits in Amazon Web Services (AWS) or physical servers. No. Any new collection of Personal Data must be weighed against the risk of harm to data subjects. Data carries a risk, and that risk is far greater than zero. Rather than being owned by the company, data is now essentially borrowed from the data subject, and the subject retains the rights and freedoms described in GDPR.
Making tough decisions
Factoring in the cost/risk of collecting more data is a helpful way to adjust to the Privacy by Design and Privacy by Default paradigms. From the earliest stages and throughout product development, for each new datapoint you intend to collect, you should ask yourself – Is it worth the increased risk associated with its collection and storage? Are there ways to minimize or mitigate that risk and still complete the task? It may be helpful to think of yourself as the data subject and ask, would I be comfortable with this information circulating publicly?
smartclip protects consumer privacy
It can be hard to resist the temptation to collect every data point that you can. smartclip, which recently merged with SpotX, encountered this dilemma while building its Addressable TV solution. With the introduction of HbbTV technology in Europe and across the globe, it is now possible to collect huge amounts of never-before-seen data on the behavior of users interacting with their TVs. By turning Smart TVs into browsers, makers of TV HbbTV apps can see nearly the same level of granular activity as they can on a traditional desktop. HbbTV provides great benefits to both broadcasters and users, but also carries with it the temptation to capture this valuable data.
smartclip developed a powerful product that gives media owners the ability to see, second by second, analytics on viewership of their programs, in real-time. With Privacy by Design in mind, smartclip CTO Thomas Servatius decided to make this viewership data completely anonymous. smartclip uses strict anonymization practices so that it is unable to tie the data it gathers to actual people. A user’s behavior is grouped with at least 5 other devices’ activity and combined into a new ID, thus anonymizing it, before it is even stored in the system. In this way, while smartclip retains the benefits of addressable advertising, an individual user’s information cannot be exposed or traced back to him or her. By adopting a Privacy by Design mindset, smartclip employees and their customers sleep well at night knowing that valuable data is protected.
While it’s clear that Personal Data can be a powerful tool for marketers and publishers, it is also clear that Privacy by Design and Privacy by Default will cause a shift in many companies’ development processes. This shift should generate benefits for users as well as data controllers and processors by increasing trust, control, and accountability.
Want to learn more about GDPR? Check out the rest of our series:
- SpotX’s GDPR Task Force
- What is GDPR? What You need to Know about Ad Tech and the General Data Protection Regulation
- GDPR: Top 7 Things Publishers Should Do to Protect Themselves
- How US Based companies should be thinking about GDPR
- Why US companies should care about PII, non-PII, and Personal Data
- What is ‘Privacy by Design and Default’ and how can it help me make tough choices in a post-GDPR world?
- How GDPR will tighten Google and Facebook’s grip on global advertising dollars – Isn’t it ironic?
- Vlog: Senior Product Manager, Jessica Berman Speaks on GDPR
Eric Shiffman, Product Marketing Manager