The concept of privacy is not new. From time immemorial, humankind has been concerned about privacy – maybe it’s about their habits, ailments, behavioral patterns, relationships with others, look and feel or any other. People have been very conscious of the information about them, whether or not recorded, for very long.
It has been decades now, countries and forums across the globe (like OECD) have recognized privacy as a fundamental right. (Remember the Supreme Court of India verdict in 2018 making it clear that privacy is a fundamental right of any Indian citizen).
Having this been a concern for long, why are we so worried about it now? What changed now? Why are we so concerned about privacy NOW?
Technology – an invader into privacy?
The advancement of technology has given opportunities for people to make their information accessible to others. Very compelling services like social media which play a major role in today’s life. They capture and make available to others personal information about people for various reasons – maybe it’s for the reasons of those who provide such information or the business reasons of the service providers.
Various business establishments run their business leveraging only on the personal information provided by the users of their services or applications. The business model itself, most of the time, violates the privacy requirements of the users. Various devices and applications have been developed by those who may want to make a fortune out of the personal information provided by the users.
Are users really concerned about privacy?
Yes and no.
On one side when people need services like email or GPS, they take it for granted that their information can be shared and used by their service providers. Most of the times the legitimacy of such usage is not been evaluated by the users because of the unawareness of how their information could be potentially (mis)used by those providers. On the other side, when the very basic needs of users to protect their privacy are being denied, they become aware of the need to protect privacy.
What are those possibly invading into the privacy?
Social media – Facebook, LinkedIn, Twitter, Instagram…
Applications – truecaller, WhatsApp, health monitoring apps…
Cloud based services – data storage sites (G-Drive, etc.), email services (Google, etc.), GPS services (google, etc.),
The evolvement of privacy concepts and laws
It was indeed very difficult to explain and express privacy for the mass to understand. That was the time when the need for a mechanism for the common understanding of the privacy concepts was felt. This lead to the evolvement of privacy principles. The challenge of practical ways of implementing these principles were overcome by defining a set of privacy rights everyone/user/citizen could claim.
When the concerns of privacy grew, obviously, administrations had to intervene and come up with legal means of ensuring adherence to the principles and honouring the rights of people who use services provided by service providers where there is collection and usage of personal information. Hence the laws were framed considering the various kinds of personal information, nature of the services, their purposes, legitimacy of collection and usage, the time periods etc. They also considered the regulatory regimes required for the enforcement and built a system around it.
Why privacy laws?
In the current global environment, for any organisation or even for governments, it is not possible to do business activities without cross border flows of information pertaining to people. While the information flows across boundaries, the administrations wanted the privacy feeling of their citizens to be well addressed. The trade activities cannot be performed without this flow of information today when countries want to cooperate on many fronts and do mutual trades.
Nature of the privacy laws
The laws were created in various parts of the world suiting to the nature of the environment – business, technological, cultural etc. However the laws have on in common broadly – they have to be interoperable. If the laws conflict each other it may not be possible for countries (organisations) to trade across. The confidence level also goes far low and hence, by and large, the laws have been seem to be harmonised.
The privacy laws generally, are based on certain privacy principles and grant certain privacy rights to citizens.
The privacy laws were created in such a way that they become dissuasive through heavy penalties.
Business establishments and compliance
Any business establishment that wants to do business with others – may it be with customers in different countries or with customers within the country – will have to ensure the privacy of their customer/user data is protected. No business entity can ignore privacy of their customer/user data due to the hefty fines imposed by the respective regulatory/legal bodies if violated.
Major privacy laws
Today there are about 132 national privacy laws of various nature are existing across the globe.
EU GDPR – though regulations like HIPAA, GLBA or similar were existing earlier, a comprehensive privacy law cutting across various business domains was a landmark and benchmark. This became a reference
CCPA – California Consumer Privacy Act
PDPA of India, Singapore, Malaysia
What is needed to build a comprehensive Privacy Information Management System?
The fundamental fact is that there is no privacy without a robust security framework. Hence it’s very important to create and maintain a security framework that addresses privacy requirements very clearly. The technological elements like application security testing, VA/PT, DLP, IPS, IDS and so on are very important to be part of the overall framework. The design elements are to be taken special care of due to the privacy requirement of ‘privacy by design and privacy by default’.
In essence, when a PIMS is created, it will (has to) very well sit inside an ISMS and well interfacing with all other management systems in the organisation (FMS, HRMS, QMS etc.).
Privacy being a major concern today, every organisation will have to take it seriously and build appropriate management systems around it to manage it well, failure of which could lead to heavy financial losses (summary of all kinds of losses). They need to identify the personal information they deal with, classify them, do a risk analysis and then come up with mitigation actions for those privacy risks. An appropriate framework can be used to create such a management system that can very well gel with other management systems already in place.