Varonis debuts trailblazing features for securing Salesforce. Learn More

Introducing Athena AI our new generative AI layer for the Varonis Data Security Platform.

Learn more

Privacy by Design Cheat Sheet

2 min read
Last updated September 22, 2022

Privacy by Design (PbD) has been coming up more and more in data security discussions. Alexandra Ross, the Privacy Guru, often brings it up in her consultations with her high tech clients. Its several core principles have been adopted by U.S. government agencies and others as de facto best practices polices.

PbD is about 20 years old and is the brainchild of Ann Cavoukian, formerly the Information & Privacy Commissioner of Ontario, Canada. Why haven’t we all heard more about it? PbD has been accused of being vague, too consumer-oriented, and not technical. Sure, it’s not a formal technical standard like ISO 27001 or PCI DSS.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Think of PbD as good solid advice to help guide your data security decisions. The security standards, as complex as some of them are, can’t cover every possible security scenario, and that’s where PbD can step in: it’s  like having a data security savvy friend you go to when you’re stuck on a problem.

The Seven Principles

Here are the PbD principles with some brief words on what they really mean:

1. Proactive not Reactive; Preventative not Remedial

The key idea behind this first principle is that you should think about data privacy at the beginning of the data security planning process —not after a data breach. Consider this principle as a kind of a mood setter for the rest of PbD.  Always be thinking privacy (ABTP)!

2. Privacy as the Default Setting

This is the hardest one for companies, especially in the high-tech world, to get their heads around. You’re supposed to give consumers the maximum privacy protection as a baseline: for example, explicit opt-in, safeguards to protect consumer data, restricted sharing, minimized data collection, and retention policies in place. Privacy by Default therefore directly lowers the data security risk profile: the less data you have, the less damaging a breach will be.

3. Privacy Embedded into Design

This is another tough one, especially for rapidly growing high-tech startups. Privacy is supposed to be embedded into the design of IT systems and business practices.  Talk to a typical software developer, and he’s most worried about completing core functionality for the product. Data security techniques such as encryption and authentication are usually put on the backburner in the rush to get features online. And testing for the most common hackable vulnerabilities in software—typically injection attacks—is also often neglected.  These principles tell designers that they should think about privacy as a core feature of the product.

4. Full Functionality – Positive-Sum, Not Zero-Sum

The idea here is that PbD will not compromise business goals. Basically, you can have privacy, revenue, and growth. You’re not sacrificing one for the other. Think of this one as helping to establish a PbD culture in your organization.

5. End-to-End Security – Full Lifecycle Protection

Privacy protections follow the data, wherever it goes. The same PbD principles apply when the data is first created, shared with others, and then finally archived. Appropriate encryption and authentication should protect the data till the very end when it finally gets deleted.

6. Visibility and Transparency – Keep it Open

This is the principle that helps build trust with consumers. Information about your privacy practices should be out in the open and written in non-legalese. There should be a clear redress mechanism for consumers, and lines of responsibility in the organization need to be established.

7. Respect for User Privacy – Keep it User-Centric

This final principle just makes it very clear that consumers own the data. The data held by the organization must be accurate, and the consumer must be given the power to make corrections. The consumer is also the only one who can grant and revoke consent on the use of the data.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
Speed Data: The Next Generation of Cybersecurity With Mark Weber
Executive in Residence for the Catholic University of America Mark Weber shares tips for mentoring future cybersecurity professionals.
Varonis Leads DSPM Market on Gartner Peer Insights
As a leader in data security, Varonis is proud to be rated No. 1 in Gartner’s Data Security Posture Management category.
Speed Data: Fusing Empathy and Enterprise With Illena Armstrong
Illena Armstrong shares her advice for future executives, discusses the importance of teamwork, and explains why empathy is powerful for leaders.
AI At Work: Three Steps To Prepare And Protect Your Business
Discover how your business can prepare and protect your sensitive data from the risks that generative AI presents.