Varonis debuts trailblazing features for securing Salesforce. Learn More

Varonis announces strategic partnership with Microsoft to acclerate the secure adoption of Copilot.

Learn more

Privacy by Design Cheat Sheet

2 min read
Last updated September 22, 2022

Privacy by Design (PbD) has been coming up more and more in data security discussions. Alexandra Ross, the Privacy Guru, often brings it up in her consultations with her high tech clients. Its several core principles have been adopted by U.S. government agencies and others as de facto best practices polices.

PbD is about 20 years old and is the brainchild of Ann Cavoukian, formerly the Information & Privacy Commissioner of Ontario, Canada. Why haven’t we all heard more about it? PbD has been accused of being vague, too consumer-oriented, and not technical. Sure, it’s not a formal technical standard like ISO 27001 or PCI DSS.

Get the Free Pen Testing Active Directory Environments EBook

“This really opened my eyes to AD security in a way defensive work never did.”

Think of PbD as good solid advice to help guide your data security decisions. The security standards, as complex as some of them are, can’t cover every possible security scenario, and that’s where PbD can step in: it’s  like having a data security savvy friend you go to when you’re stuck on a problem.

The Seven Principles

Here are the PbD principles with some brief words on what they really mean:

1. Proactive not Reactive; Preventative not Remedial

The key idea behind this first principle is that you should think about data privacy at the beginning of the data security planning process —not after a data breach. Consider this principle as a kind of a mood setter for the rest of PbD.  Always be thinking privacy (ABTP)!

2. Privacy as the Default Setting

This is the hardest one for companies, especially in the high-tech world, to get their heads around. You’re supposed to give consumers the maximum privacy protection as a baseline: for example, explicit opt-in, safeguards to protect consumer data, restricted sharing, minimized data collection, and retention policies in place. Privacy by Default therefore directly lowers the data security risk profile: the less data you have, the less damaging a breach will be.

3. Privacy Embedded into Design

This is another tough one, especially for rapidly growing high-tech startups. Privacy is supposed to be embedded into the design of IT systems and business practices.  Talk to a typical software developer, and he’s most worried about completing core functionality for the product. Data security techniques such as encryption and authentication are usually put on the backburner in the rush to get features online. And testing for the most common hackable vulnerabilities in software—typically injection attacks—is also often neglected.  These principles tell designers that they should think about privacy as a core feature of the product.

4. Full Functionality – Positive-Sum, Not Zero-Sum

The idea here is that PbD will not compromise business goals. Basically, you can have privacy, revenue, and growth. You’re not sacrificing one for the other. Think of this one as helping to establish a PbD culture in your organization.

5. End-to-End Security – Full Lifecycle Protection

Privacy protections follow the data, wherever it goes. The same PbD principles apply when the data is first created, shared with others, and then finally archived. Appropriate encryption and authentication should protect the data till the very end when it finally gets deleted.

6. Visibility and Transparency – Keep it Open

This is the principle that helps build trust with consumers. Information about your privacy practices should be out in the open and written in non-legalese. There should be a clear redress mechanism for consumers, and lines of responsibility in the organization need to be established.

7. Respect for User Privacy – Keep it User-Centric

This final principle just makes it very clear that consumers own the data. The data held by the organization must be accurate, and the consumer must be given the power to make corrections. The consumer is also the only one who can grant and revoke consent on the use of the data.

What you should do now

Below are three ways we can help you begin your journey to reducing data risk at your company:

  1. Schedule a demo session with us, where we can show you around, answer your questions, and help you see if Varonis is right for you.
  2. Download our free report and learn the risks associated with SaaS data exposure.
  3. Share this blog post with someone you know who'd enjoy reading it. Share it with them via email, LinkedIn, Reddit, or Facebook.
Try Varonis free.
Get a detailed data risk report based on your company’s data.
Deploys in minutes.
Keep reading
6-prompts-you-don't-want-employees-putting-in-copilot
6 Prompts You Don't Want Employees Putting in Copilot
Discover what simple prompts could expose your company’s sensitive data in Microsoft Copilot.
generative-ai-security:-preparing-for-salesforce-einstein-copilot
Generative AI Security: Preparing for Salesforce Einstein Copilot
See how Salesforce Einstein Copilot’s security model works and the risks you must mitigate to ensure a safe and secure rollout.
dspm-buyer's-guide
DSPM Buyer's Guide
Understand the different types of DSPM solutions, avoid common pitfalls, and ask questions to ensure you purchase a data security solution that meets your unique requirements.
speed-data:-preparing-for-the-unknown-in-cybersecurity-with-ian-hill
Speed Data: Preparing for the Unknown in Cybersecurity With Ian Hill
Ian Hill, the Director of Information and Cybersecurity for Upp Telecommunications, offers his take on AI and the future of tech, shares his tricks for a good cyber defense, and explains why the best-laid plans of mice and security professionals often go astray.