Live Cyber Attack Lab 🎯 Watch our IR team detect & respond to a rogue insider trying to steal data! Choose a Session


[Podcast] More Dr. Ann Cavoukian: GDPR and Access Control

Data Security


Leave a review for our podcast & we'll send you a pack of infosec cards.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

We continue our discussion with Dr. Ann Cavoukian. She is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD).

In this segment, Cavoukian tells us that once you’ve involved your customers in the decision making process, “You won’t believe the buy-in you will get under those conditions because then you’ve established trust and that you’re serious about their privacy.”

We also made time to cover General Data Protection Regulation (GDPR) as well as three things organizations can do to demonstrate that they are serious about privacy.

Learn more about Dr. Cavoukian:


Cindy Ng: Dr. Cavoukian, besides data minimalization, de-identification, user access control, what are some other concrete steps that businesses can take to benefit from protecting privacy?

Dr. Cavoukian: I think one of the things businesses don’t do very well is involve their customers in the decisions that they make, and I’ll give you an example. Years ago I read something called “Permission Based Marketing” by Seth Godin, and he’s amazing. And I read it, and I thought, “Oh this guy must have a privacy background,” because it was all about enlisting the support of your customers, gaining their permission and getting them to, as Godin said, “Put their hand up and say ‘count me in.'” So I called him, he was based in California at the time, and I said, “Oh Mr. Godin, you must have a privacy background?” And he said something like, “No, lady, I’m a marketer through and through, but I can see the writing on the wall. We’ve gotta engage customers, get them involved, get them to wanna participate in the things we’re doing.”

So, I always tell businesses that are serious about privacy, “First of all, don’t be quiet about it. Shout it from the rooftops, the lengths you’re going to, to protect your customer’s privacy. How much you respect it, how user-centric your programs are, and you’re focused on their needs in delivering.” And, then, once they understand this is the background you’re bringing, and you have great respect for privacy, in that context you say, “We would like you to consider giving us permission to allow it for these additional secondary uses. Here’s how we think it might benefit you, but we won’t do it without your positive consent.” You wouldn’t believe the buy-in you will get under those conditions because then you have established a trusted business relationship. They can see that you’re serious about privacy, and then they say, “Well by all means, if this will help me, in some way, use my information for this additional purpose.” You’ve gotta engage the customers in an active dialog.

Cindy Ng: So ask, and you might receive.

Dr. Cavoukian: Definitely, and you will most likely receive.

Cindy Ng: In sales processes they’re implementing that as well, “Is it okay if I continue to call you, or when can I call you next?” So they’re constantly feeling they’re engaged and part of the process, and it’s so effective.

Dr. Cavoukian: And I love that. Myself, as a customer… I belong to this air miles program, and I love it, because they don’t do anything without my positive consent. And, yet, I benefit because they send me targeted ads and things I’m interested in. And I’m happy to do that, and then I get more points and then it just continues to be a win-win.

Cindy Ng: Did you write anything about user access controls? What are your thoughts on that?

Dr. Cavoukian: We wrote about it in the context of that you’ve gotta have restricted access to those who have… I was gonna say, “Right to know.” Meaning there are some business purpose for which they’re accessing the data. And that can be…when I say, “business purpose,” I mean that broadly, in a hospital. People who are taking care of a patient, in whatever context, it can be in the lab. They go there for testing. Then they go for an MRI, and then they go… So there could be a number of different arms that have legitimate access to the data, because they’ve gotta process it in a variety of different ways. That’s all legitimate, but those people who aren’t taking care of the patient, in some broad manner, should have absolutely complete restricted access to the data. Because that’s when the snooping and the rogue employee…

Cindy Ng: Curiosity.

Dr. Cavoukian: …picture, the curiosity, takes you away, and it completely distorts the entire process in terms of the legitimacy of those people who should have access to it, especially in a hospital context, or patient context. You wanna enable easy access for those who have a right to know because they’re treating patients. And then the walls should go up for those who are not treating in any manner. It’d be difficult to do, but it is imminently doable, and you have to do it because that’s what patients expect. Patients have no idea that someone might be just, out of curiosity, looking at their file. You’ve had a breast removed, you had… I mean horrible things happen.

Cindy Ng: Tell us about GDPR, and it’s implications on Privacy by Design.

Dr. Cavoukian: For the first time, right now the EU has the General Data Protection Regulation, which passed for the first time, ever. It has the words, the actual words, “Privacy by Design” and “Privacy as the default” in the stature.

Cindy Ng: That’s great.

Dr. Cavoukian: It’s a first, it’s really huge, but what that means, it will strengthen those laws far higher than the U.S. laws. We talked about privacy as the default. It’s the model of positive consent. It’s not just looking for the opt out box. It’s gonna really raise the bar, and that might present some problems in dealing with laws in the states.

Cindy Ng: Then there’s also their right to be forgotten, and we live in such a globalized world, people both doing business in the states and in Europe, it’s been complicated.

Dr. Cavoukian: It does get very complicated. What I tell people everywhere that I go to speak is that if you follow the principles of Privacy by Design, which in itself raised the bar dramatically from most legislation, you will virtually be assured of complying with your regulations, whatever jurisdiction you’re in. Because you’re following the highest level of protection. So that’s another attractive feature about Privacy by Design is it offers such a high level of protection that you’re virtually assured of regulatory compliance, whatever jurisdiction you’re in.

And in the U.S., I should say, that the FTC, the Federal Trade Commission, a number of years ago, under Jon Leibowitz, when he was Chair, they made Privacy by Design the first of three best practices that the FTC recommended. And since he’s left, and Chairwoman Edith Ramirez is the Chair, she has also followed Privacy by Design and Security by Design, which are absolutely, interchangeably critical, and they are holding this high bar. So, I urge companies always to follow this to the extent that they can, because it will elevate their standing, both with the regulatory bodies, like the FTC, and with commissioners, and jurisdictions, and the EU, and Australia, and South America, South Africa. There’s something called GPN, the Global Privacy Network, and a lot of the people who participate in these follow these discussions.

Cindy Ng: What are three things that organizations can do in terms of protecting their consumers’ privacy?

Dr. Cavoukian: So, when I go to a company, I speak to the board of directors, their CEO, and their senior executive. And I give them this messaging about, “You’ve gotta be inclusive. You have to have a holistic approach to protecting privacy in your company, and it’s gotta be top down.” If you give the messaging to your frontline folks that you care deeply about your customer’s privacy, you want them to take it seriously, that message will emanate. And, then what happens from there, the more specific messaging is, what you say to people, is you wanna make sure that customers understand their privacy is highly respected by this company. “We go to great lengths to protect your privacy.” You wanna communicate that to them, and then you have to follow up on it. Meaning, “We use your information for the purpose intended that we tell you we’re gonna use it for. We collect it for that purpose. We use it for that purpose.” And then, “Privacy is the default setting. We won’t use it for anything else without your positive consent after that, for secondary uses.”

So that’s the first thing I would do. Second thing I would do is I would have at least quarterly meetings with staff. You need to reinforce this message. It’s gotta be spread across the entire organization. It can’t just be the chief privacy officer who’s communicating this to a few people. You gotta get everyone to buy into this, because you… I was gonna say the lowest. I don’t mean low in terms of category, but the frontline clerk might be low on the totem pole, but they may have the greatest power to breach privacy. So they have to understand, just like the highest senior manager has to understand, how important privacy is and why and how you can protect it. So have these quarterly meetings with your staff. Drive the message home, and it can be as simple as them understanding that this is… You’re gonna get what I call, “privacy payoff.” By protecting your customer’s privacy, it’s gonna yield big returns for your company. It will increase customer confidence and enhance customer trust, and that will increase our bottom line.

And the third thing, I know this is gonna a little pompous, but I would invite, and only because this happened to me, I’ve been invited in to speak to a company, like, once a year. And you invite everybody, from top to bottom. You open it up and… People need to have these ideas reinforced. It has to be made real. “Is this really a problem?” So, you bring in a speaker. I’m using myself as an example because I’ve done it, but it can be anybody who can speak to what happens when you don’t protect your customer’s privacy. It really helps for people inside a company, especially those doing a good job, to understand what can happen when you don’t do it right and what the consequences are to both the company and to employees. They’re huge. You can lose your jobs. The company could go under. You could be facing class action lawsuits.

And I find that it’s not all a bad news story. I give the bad news, what’s happening out there and what can happen, and then I applaud the behavior of the companies. And what they get is this dual message of, “Oh my God, this is real. This has real consequences when we fail to protect customer’s privacy, but look at the gains we have, look at the payoff in doing so.” And it makes them feel really good about themselves and the job that they’re doing, and it underscores the importance of protecting customer’s privacy.

Cindy Ng

Cindy Ng

Cindy is the host of the Inside Out Security podcast.


Does your cybersecurity start at the heart?

Get a highly customized data risk assessment run by engineers who are obsessed with data security.