[Podcast] More Dr. Ann Cavoukian: GDPR and Access Control

[Podcast] More Dr. Ann Cavoukian: GDPR and Access Control

We continue our discussion with Dr. Ann Cavoukian. She is currently Executive Director of Ryerson University’s Privacy and Big Data Institute and is best known for her leadership in the development of Privacy by Design (PbD).

In this segment, Cavoukian tells us that once you’ve involved your customers in the decision making process, “You won’t believe the buy-in you will get under those conditions because then you’ve established trust and that you’re serious about their privacy.”

We also made time to cover GDPR as well as three things organizations can do to demonstrate that they are serious about privacy.

Here are some highlights of our interview:

On User Access Control

You’ve got to have restricted access, to those who have a right to know, meaning there is a business purpose for which their accessing the data.

When I say business purpose, I mean that broadly. But it could be in a hospital, people who are taking care of a patient, in whatever context. It could be in the lab, they go there for testing. So there could be a number of different arms that have a legitimate access to the data.

Those who aren’t taking care of the patient in some broad manner should have restricted access to data. That’s when the snooping, the rogue employee, the curiosity, it distorts the legitimate reasons for the people who should have access to information.

Especially in a hospital context, you want to enable access to people who have a right to know because they are treating you. And then the walls should go up for those who are not treating you in any manner. It’s difficult to do, but you have to do it. Because that’s what patients expect. Patients have no idea that out of curiosity, someone who shouldn’t have access is looking at their file.

Three Things Organizations Can Do

1. When I go to an organization to speak about privacy, I speak to the CEO, Board of Directors, and senior executives, I give them message that they need to be inclusive, you have to have a holistic approach to protecting privacy and it’s got to be top down. If you get that messaging to your front line folks, that you care deeply about your customer’s privacy, that message will emanate.

Also let your customers know that their privacy is highly respected by this company, we go to great lengths to protect your privacy, you want to communicate that to them and then you have to follow up on it. Meaning, we use your information for the purpose intended, that we tell you what we use it for, we collect it for that purpose, and then privacy is the default setting, we won’t use it for anything else without your positive consent after that for secondary uses.

2. I would have at least quarterly meetings with staff. You need to reinforce this message. It needs to be spread across the entire organization.

It can’t be just the Chief Privacy Officer, who is communicating this to a few people. You have to have everyone buy into this. The front line clerk might be low on the totem pole, but they might have the greatest power to breach privacy, so they need to understand just like the highest senior manager, how important privacy is and why and how you can protect it.

Meet with you staff, drive the message home, you’re going to get what I call a privacy payoff, you’re protecting your customer’s privacy, it’s going to yield big returns for your company, it will increase customer confidence and enhance customer trust and it will increase your organization’s bottom line.

3. I would invite a speaker and everyone from your company so that you can have these ideas reinforced. You bring in a speaker who can speak to what happens, when you don’t protect your customer’s privacy.

Last year they called it the year of the data breach, it was rampant, so it really helps to tell the people in your company and help them understand what could happen when you don’t do it right and what the consequences are to the company and to the employee – you could lose your job, the company could go under, you could be facing a class-action lawsuit.

It’s not an all a bad news story, I’ll give the bad news and then I applaud the behavior of the company and what they get is this dual message, this has real consequences when we fail to protect our customer’s privacy, but look at the gains and payoff. It makes them feel really good about themselves about the good job they’re doing and it underscores the importance of protecting privacy.

Learn more about Dr. Cavoukian:

Subscribe Now

Add us to your favorite podcasting app:

Follow the Inside Out Security Show panel on Twitter @infosec_podcast



Get the latest security news in your inbox.