Marisa Rogers - Privacy by Design for Consumer Goods and Services

I think many of you are familiar with privacy by design. It's a concept that's been around since about the mid two thousands, about 2008, 2009. It was the, it was born out of some work done in Canada by the former Ontario privacy commissioner and Kabuki. She wrote her PhD paper on privacy by design and, and really defined this concept and this topic. And so I actually wanted to start there because I think privacy by design over the last few years has sort of morphed into other things. And, and when this ISO committee is considering writing standard, it's actually based on this academic concept. So I kind of wanna bring folks back to, to that concept and review it. So there are seven foundational principles in privacy by design. It starts with privacy by design should be proactive, right? Something we think about from the beginning much like we think about security in our security practices today.
Privacy should be the default setting as the user, as the customer. I shouldn't have to take any action in order for my personal information to remain private privacy is then embedded into the design. So we think about it at the very beginning. From the beginning of when we think about conceptualizing a new product, a new service, a new business transaction, or new business process, we think about privacy from the get go, and it's folded in from the beginning. So we don't have to go back and retrofit privacy, full functionality is all about making sure we hit the win-win. We shouldn't be sitting at a table having a conversation about, well, are we going to do privacy or security? We need to do them. Both. Both are really important. And it's about figuring out as part of that design process and iterative process. How do you reach that win-win scenario so that you have the full functionality or full capability of the process?
We all know you cannot have privacy without great security, privacy and security are forever intertwined. If for no other reason than that one, you have to have end to end security from the time that you collect the data to the time that you delete that data through its entire life cycle collection, transport storage, your backup storage, et cetera, you have to really be, be thinking about that. Visibility and transparency is, is super open or important. Sorry. In privacy, by design, you have to be open about your practice. You have to be open about your commitments. It shouldn't be something that's buried super deep in your statements. And then last bit, not least is respect for the user from the beginning, when you're at that design stage, it's about thinking about your customer or the user of your product or service and how are they going to, what kind of experience are they going to have as they go through this, this effort where data is being collected from them?
So these are the, the seven principles that we're thinking about as we head into building this new ISO standard. So why does it matter? Why do we, what, why do we even want to build a new standard in this space? The headlines in the paper, not just this year. I think these are a lot of more recent headlines, but over the past several years are really starting to erode trust from, from our consumers out there. Right? Every time I turn around, I, I look at my phone in the morning and some, some new scary thing happened, whether it is financial data that has been lost, whether it's health data, that's been lost, whether it's problems with technology companies and what they are or aren't doing with data, it, it feels like, gosh, every time I take a step forward, I just kind of wanna cringe and, and maybe go back into my closet in my bedroom and not, not leave the house and not share my data. And that's really bad for those of us that are trying to run businesses. We need our customers to feel like they can trust us with their data. They're, they're going to start making their decisions about where they spend their money, where they put their money, where they, where they put their information based on that level of trust. And so trust is not something that any single company or organization builds. It's something that we collectively build as business or government organizations out there. So trust is really, really important.
So let me talk about a few efforts that are underway to develop standards. This consumer privacy by design is not the only one out there. There are a few others. I'm gonna start with a couple of security standards. That folks are probably pretty familiar with. These have been out for several years now. There's the ISO 27,001 and 27,018 security standards. Specifically. These are about information security management and cloud protection. So companies that are storing your data in the cloud rely on these standards very heavily. It sets a baseline by which everybody is operating and those certification standards are then things that tech companies can share with their customers to provide them some level of assurance about what their security practices are. There's a couple efforts underway now to, to create similar standards on the privacy side, there's a, a broader standard called ISO 27,005 50.
I didn't quite list it here. It's kind of a, an overarching standard, if you will. And it covers privacy and security technologies broadly underneath it. There is this 2 7, 5 52, which is privacy information management. It's about technologies that you use or employee and privacy information management. And then the last one, which is the one that I'm actually working on here is this ISO PC three 17. It doesn't even have a number yet. It's so brand new, but this is really a focus on consumer protection and privacy by design for consumer goods and services and the, the history of the standard and, and literally, or the goals I should say of the standard are to set some preventive international guidelines for ensuring consumer privacy is embedded into the design of a product or service, so that we're thinking about privacy from the very beginning, all the way till we launch that product or service it's meant to help companies comply with the many regulations.
If you were here for the last session, that there's a lot of conversation about those regulations around the world and to avoid potentially devastating data breaches at the end of the day, that is, that is the scary thing when that data gets breached and it erodes customers confidence in the digital world, and then last but not least the third goal of the standard is to really give consumers greater confidence in their purchases and enable them to take control. That is, that is how we get them past. The, the fear that they may be experiencing in the world is to give them something that lets them feel like they are in control of the situation. And they'll spend, spend more money, do more business with us and transact further some history about the standard. And like I said, it's brand new just in March of this year.
So in the spring, the ISO committee said that, Hey, we are going to agree to create a new project. That's gonna focus on developing this particular standard in June. They released a draft and an outline, and they called for technical advisory groups or tags to be formed, to help give advice on that, that very initial draft. I joined a committee at the beginning of July or joined this committee at the beginning of July. And we have been working to, to read through it, to parse through comments or about 27 different organizations that are involved in this advisory group. And so we've all been, been reading it. We've been talking through our individual feedback. A technical advisory group does have to come to some level of consensus and vote and agree on what the formal feedback will be to the ISO committee. In fact, I am headed in a couple of weeks to DC, where we are gonna have two days of face-to-face conversations to, to reach that consensus.
And then we're gonna be nominating a team of folks that will go represent this advisory group in London at the beginning of November, and provide that feedback more formally to them in case there's anybody here who wants to participate. And by the way, there's not a lot of extra experience required. This is my first time participating in a technical advisory group. You can contact the Oasis organization and they would be happy to talk to you about participating in the advisory group itself. Other backgrounds on the standard. It, it really is a working draft. The, the draft that we got at the beginning of the summer was a mishmash of concepts and ideas. We sat down and we looked at how we might reorganize those to make them more coherent. We offered up a series of questions where we think there needs to be more clarification in this standard. We are looking and evaluating a few different frameworks that different organizations want to put forward for privacy by design. So it's, it's very much still in the development stage. I don't have a lot of slides here on the details of the standard for that reason, but I would encourage all of you who have an interest to, to get involved in that. So with that, I will actually open it up here for some questions from the audience
Questions from the audience.
Yep. I've got a quick question. So there's been a lot of talk about allowing consumers to take control of their data. You mentioned it hearing your slide.
Okay. So how do you, how does that help? How do you help consumers take control of their data
Starts with giving them, giving them choices? So we, I think in the last session you were here, you were talking about consent and, and the opt-in choices that are out there, but it's giving them choices. What data do you want to share? What data are you willing to give? What data's actually required as part of the transaction, what what's required versus what's optional. If you are doing some sort of a, a payment transaction, there may be more data required, then I'm signing up for a newsletter. So there, there are a spectrum, if you will to consider,
Hey, I was just curious if there's been any user research done that users will take the time to control their data. Basically, if we give them those controls, do we have evidence to show that they would actually take the time to, I guess, protect their data?
That is an awesome question. Yes. People often say we are concerned. I'm super worried. I want control of my data, and then you give them the controls and they don't always take advantage of them. I would say that the research is troubling, cuz it, it shows evidence on both sides. It shows consumers want those controls available. They want protections available, but there's also research that says, I don't take the time to figure it out. And this is, this is one of the big struggles I've seen it in particular in the regulatory space. You know, you have to offer up choices and, and controls. And at one point I actually had an opportunity to ask a regulator, what is the value of that? Because I don't think my customers actually understand the choices that they're making and kind of the, the off the cuff comment about that was well it's really for the agencies that look after data protection, it's really for the watchdog groups, consumer protection agencies and NGOs. And they're the ones who are really looking at this on behalf of consumers at large. So it's a great point though. At some point you ask too many questions.
I have too many controls.
I just to follow up on that. We did a lot of test and surveys the last two years with customers, cuz we have, we're providing a GDPR compliant platform and you have to remember that with GDPR. The problem is reversed. That means it's completely, you have to obtain. So by default, your data are not shared. So it's up to the vendor now. I mean, let's call that vendor or business to ask for the data. And that makes it very different. You feel as a customer, completely protect and in control because actually by default you don't share and then you have the option. Do I share that one because I want to have this that's very different. And in that case it becomes very positive. Otherwise, if you do reverse, that means you have to opt out on a granular base. That's too overwhelming. I mean, we have so many data, but if you reverse the equation that works much better.
Yes. Those are great points. And that is, it is part of those foundational principles at the beginning. Yeah. Privacy by default
More questions. Well, there's certainly a lot of interest in privacy and, and let's say user managed access and various privacy regulations, any speculation for how they may all play together in the next two to three years or is that too hard?
I was gonna say how they're gonna play together. I'm not sure. I think there will be more of them coming on the books as somebody pointed out earlier, state of California has now entered into this, into this game or, and onto this stage. And I think we will see laws, whether those are at the state level here in the us, trying to cover things that may or may not happen at the federal level or whether those are laws in other countries. The GDPR is certainly a great influencer in getting other countries to establish adequacy so they can trade data back and forth. Right. Brazil just passed a new law maybe a month ago. Now with that goal of trying to be named as an adequate country. And I think the same is happening in Japan. So I think we will continue to see more laws whether or not they will play well together remains to be seen.
True. Okay. If there are no other questions, then thank you. Yeah.