Don't ask, don't tell: The virtues of privacy by design

After years of personal data breaches and mishandled payment data, lawmakers are waking up to the importance of online privacy. Eleanor McHugh explains why, to comply with new laws, we need to put privacy at the heart of our design processes. But how do we do this when design itself is often seen as the enemy?

We live in a world of poorly protected persistent data silos, the digital equivalent of a rusty tin box tied up with string and buried in a somewhat disheveled flowerbed. The owners of these silos hoard a bewildering array of personal data on everyone who interacts with them on the off chance that some of this might be useful to them in the future or have concrete resale value. A vast industry exists to help secure these silos once they exist, but rarely does anyone asks the key existential question: do we need all that data in the first place? In most cases the answer is no, and by collecting and storing this personal data we’re endangering both our systems and the people who use them. Across the developed world, the outcry over high-profile data breaches has forced legislators to take action, introducing strict new regulations on how personal data can be stored and the rights of individuals both to control their data and to be forgotten. So how as IT professionals can we deal with this new reality? And what are the implications as the IoT expands the scope of personal data and new analytic tools make it increasingly transparent? Eleanor McHugh offers an answer, exploring the relationship between privacy and identity, the slippery nature of consent, and how we can prove after the event that our applications acted correctly. Can we really design all this into our processing systems from their very inception? And if so, how?