Have we reached peak privacy? How good IAM and privacy can coexist

Why privacy needs to remain at the forefront of identity and access management.

big brother privacy eye data breach security binary valerybrozhinsky getty
ValeryBrozhinsky / Getty

Data privacy has made big headlines in the last 12 months. Wherever we look there is an article about a data breach, a data protection regulation update, or a colleague talking about data privacy. It may have all become too much, and we have to ask ourselves, “Have we reached ‘peak privacy’?”

In the identity space, data privacy was never really a consideration until we entered the realms of the consumer. In enterprise identity and access management (IAM), although we rarely, if ever, mentioned privacy despite the fact we were using employees’ personal data. When the enterprise perimeter earthquake happened, and we moved our IAM services to cover consumers and citizens, data privacy started to enter the industry parlance.

Why it is important to not become jaded about privacy

Data breaches and privacy violations can almost be thought of as a kind of ‘digital trauma’. When I heard about the Collective #1 data breach that exposed 773 million data records, I thought, “Oh no, not again.” I searched HaveIBeenPwned and sure enough, my email address showed I was part of the data breach, but I didn’t feel worried, as I should be, because I have become desensitized.

Desensitization is a common issue among people who experience trauma. For example, teenagers who are subjected to real-life violence become less affected by acts of violence than their counterparts who have not been exposed. If you experience something over and over, you do get used to it happening. That does not, however, mean that it should be tolerated.

As I write, there will be continued breaches that affect our personal data. The EU’s General Data Protection Regulation (GDPR) helps to focus the minds of organization leaders, but it does not stop cybercriminals trying to steal our personal data. Since the GDPR come into effect, Law firm, DLA Piper have recorded, 59,000 personal data breaches across Europe.

As custodians and processors of personal data, we can’t just turn a blind eye to privacy. It hurts our businesses as much as it hurts the customer who forgoes privacy. A report by Privitar said that 90 percent of consumers are concerned that technological advancements are a risk to data privacy. 

Tech and privacy: A good double act in IAM?

IAM platforms have needed to innovate to keep up with the tidal wave of personal data and to improve customer experience. Data is an incredibly useful commodity that can be used to do online jobs, including the digitization of onboarding processes. Privacy, as seen through the lens of the IAM technology stack, should be intrinsic across a platform.

What does that mean in practical terms? Can we have our privacy cake and eat it, too?

Privacy peak 1: Great UI/UX can facilitate good data privacy

The touchpoint between the identity management backend and the user is where the data privacy choice begins. It is also where your relationship with the customer begins. Privacy is an intrinsic part of trust, which is a relationship-building tool. Your UX should guide your customers down a pathway that distills privacy for them. The UI should reflect the data processing you do in a simple way. If you do this, you start on a pathway to trust by being privacy respectful.

Privacy peak 2: Deliver what you promise

If you tell users you won’t use their data for X or Y, then don’t. If you tell users you will use their data to give them a better service, do so. This type of basic thinking has to be part of the design process at the beginning of building a service. If you have to retro-fit it, it is harder to do but not impossible. Using identity API-based service architecture can help to facilitate the addition of missing features that enhance privacy.

Privacy peak 3: Consent is fluid

Consent management comes in many forms. You should have already taken consent when you first touched the customer’s data. However, consent is fluid. People change their minds. Build consent for data privacy control into the system, end to end. This can be included in transaction consent - OAuth 2.0 and UMA are example protocols for achieving this.

Consent management can also be included in the user’s account manager. Consumer IAM vendors are now beginning to add in the ability to manage consents across services. Even the blockchain can add value here. Used as a layer for consent transaction receipt and audit, it offers an immutable way to show that you have taken the consent requirements of the GDPR seriously.

Privacy peak 4: Technology is the friend of privacy

Privacy is about individual choice, but data privacy is augmented and enforced using technology solutions. Always use the best possible security solutions to enforce the privacy choices of your customers. Make these as seamless as possible. This can be a challenge in certain customer-facing areas, like authentication, but the world of authentication is starting to offer solutions to the conundrum of usability vs. security. Other areas like data in transit and at rest should be secured, by design, in any system that moves personal data, in all of its forms, around.

Let’s make data privacy month data privacy by default

Data Privacy Day has now become Data Privacy Month, which runs until February 28. As custodians of people's data, we should never, ever be desensitized or complacent about data privacy. Data privacy holds the key to the relationship we need to build between our service and our customer. Privacy is not about hiding data, it is about using it with due respect to the person that data represents. When you next set out an RFP for an identity service, make sure you add a requirement that asks for privacy by default.

Copyright © 2019 IDG Communications, Inc.

Get the best of CSO ... delivered. Sign up for our FREE email newsletters!