Public awareness and concern about privacy is at an all-time high and governments are responding with legislation, but quite often the onus has been on individuals to stand up for their rights. Stephen Ragan, Privacy Expert at Wrangu explains how Privacy by Design can help firms navigate the complex landscape.

Concern over alleged interference in elections on both sides of the Atlantic, Edward Snowden, Cambridge Analytica, algorithmic bias, and two data breaches effecting over 1 billion people…

Stephen Ragan, Principal Privacy Consultant at Wrangu, is listing examples of huge media stories in recent years that have raised public awareness of personal data use, surveillance and transparency.

“Privacy is just becoming more and more important to individuals and companies are responding in light and we see this, of course, with Google and Apple and their shift away from third party cookies and creating App Tracking Transparency,” says Ragan.

“I think one of the big challenges is bridging this ‘transparency gap’, where individuals don’t really know what’s being done with their data and how it’s being used.”

This increased public awareness and concern about trust and privacy, as evidenced by the recent public outcry and boycott over Whats App’s mandatory data-sharing with Facebook, appears to be a key factor in governments across the world implementing data protection legislation.

Ragan cites research from Gartner last year forecasting that the percentage of nations with data protection legislation will reach nearly two-thirds (65%) by 2023, up from 10% last year.

So what impact is this flurry of new legislation having, and likely to have in the future? How can businesses keep up to speed with it?

“It is very difficult, especially, for small and medium-sized organisations who don’t have dedicated privacy and legal teams,” says Ragan.

He adds that the uncertainty over international data transfers created by the Schrems II ruling last Summer has also “put a lot of burden on organisations to try and understand the national security and surveillance laws of countries where the data is being transferred”.

According to Ragan, organisations should use Europe’s General Data Protection Regulation (GDPR) as a starting point and then try to adapt it to local circumstances and laws.

This feels potentially quite onerous, but Ragan says the threat of fines and law enforcement action is a big incentive to take privacy seriously, particularly as he envisages a ramping up of action after a slowdown due to the pandemic.

“We’ve now been living in this corona crisis for a year and I think this whole adaption to a new digitised environment kind of slowed things down for enforcement authorities and even GDPR is still new”, he says.. 

Ragan stresses however that focusing on the need to avoid fines misses the broader point about the importance of privacy and trust in the modern age.

“The even bigger issue is reputational damage,” he continued “Your organisation does not want to be in the news for having data breaches and security issues.

“The world is digitising and the majority of us are working from our homes. With the greater digitization, greater interconnectivity, and the expansion of the Internet of Things, organisations are collecting more and more data. 

“So, in order to do this, organisations are going to need to have the trust of their customers and consumers,” he says.

The real question is how exactly do companies build this trust?

In Ragan’s view, the burden of protecting privacy rights is unfairly placed on individuals to stand up for their own rights.

“The emphasis is always on the individual to take some type of affirmative, or additional action in order to protect their privacy,” he says.

Instead, to build deeper trust, companies themselves should look at ways they can help customers protect their data, argues Ragan.

This could include data minimisation, where data collection and use is limited to what is strictly necessary, better management of the data life cycle –  including privacy policies that empower individuals informing them of their rights and how to exercise them and explaining the ways data will be processed so individuals have the information they need to give free and informed consent, to mapping data and understanding the organisational culture around privacy. Facilitation data subject rights should be obvious and not “overly cumbersome” says Ragan.

However, underpinning all this is Privacy by Design.

“When we think about Privacy by Design, we’re thinking about before data is collected, and the development of services and products really embedding privacy in the design of the services and products before data is collected at all,” says Ragan.

The key point is that privacy considerations are embedded from the outset, in the very design of products and services with the data subject constantly aware of what you are doing with the data and for what purpose.

Ragan also suggests that information on this approach could be published so that people can see that “you’re placing emphasis and importance on privacy and data protection.”

All of this, suggests Ragan, can help organisations build trust around consumer data and privacy, which will be crucial in our increasingly digitised and interconnected age, while also ensuring that they are less likely to fall foul of the law as the global regulatory picture gets ever more complex.

Stephen Ragan, Principal Privacy Consultant, Wrangu
Stephen Ragan is the Principal Privacy Consultant at Wrangu helping organisations understand and comply with global privacy regulations and overcoming data protection challenges.

He holds a law degree from Indiana University and is a licensed attorney in Washington D.C. Stephen is also a Fellow at the Centre for Internet and Human Rights.