Privacy by design and default are principles that have been in the privacy engineering lexicon for decades, but only recently have come more broadly to light. These principles aren’t just recommendations or best practices anymore. Privacy by design and default are legally required of companies building products and services in or for the European Union market and other jurisdictions around the world.
Simply put, privacy by design and default demands that developers consider the privacy implications at the ideation phase and embed privacy protections and functionality into products and services from the start. And, to the extent there are optional configurations and user settings, the default settings should be the most privacy protective.
Privacy professionals have known – and the Cisco 2020 Consumer Privacy Survey provides supporting evidence – that consumers care deeply about privacy. Nearly one third of respondents, identified as “Privacy Actives,” said they stopped doing business with a company over data privacy concerns. Their biggest concern? Transparency. Nearly half did not know what companies were doing with their data and felt they were unable to effectively protect their privacy. Most respondents wanted more transparency in how their data is being used.
Cisco’s privacy program is anchored around three strategic considerations – compliance, ethics, and privacy as a business imperative. We believe that organizations of all types and sizes must address all three when collecting, using, and processing personal data. Transparency regarding how privacy is respected and protected is critical to workforce, customer, and public trust. Ultimately, when choosing and doing business with a vendor, customers consider one fundamental question: “Do I trust you?” If they don’t trust how you handle their data, you won’t get or keep their business.
The Pandemic Effect: Why more people demand privacy
COVID-19 has raised the general public’s awareness of privacy on multiple fronts. For one, governments, employers, and the people around us are all suddenly interested in our sensitive health information – how we’re feeling, what’s our COVID-19 status, where we’ve been, and with whom we’ve been in contact. Contact tracing, while an important tool for containing the pandemic, is incredibly intrusive. According to our study, less than half (49%) of respondents supported contact tracing, with just 37% in favor of sharing COVID-19 status-related information. This is where privacy by design and default address: How do we design a privacy respectful method for contact tracing?
Enabling confidence through transparency
At Cisco, we’ve been working on a way to provide contact tracing and proximity tracking capabilities to enable the economy to reopen. Using the Wi-Fi-based technology of our DNA Spaces platform, we have developed a way to enable our customers to better monitor their campuses or worksites. By using Wi-Fi and data related to access-point proximity, we collect and log location data only while the person is onsite, but nowhere else. Moreover, the person is invisible to DNA Spaces unless and until their device Wi-Fi is turned on, mitigating the privacy risks of stealth monitoring and mass surveillance by design.
We also have partnered with ServiceNow to help ensure data is securely handled with tight access controls and auto-expiry. With ServiceNow, the data is only available on a strict need-to-know basis for a limited time, with logging and audit capabilities to detect and prevent misuse. DNA Spaces will allow offices, schools, and other sites to better manage their facilities, understand utilization and density, and facilitate contact tracing and notification of potential exposure – all while minimizing privacy impact.
As Cisco prepares to re-open our offices and facilities, we will be using DNA Spaces as well. To validate and ensure privacy risks are appropriately addressed and meet local labor law requirements, we worked with several EU-based works councils (i.e., internal labor unions) to obtain feedback and suggestions on product design, disclosures, and user experience. Designing with privacy in mind and being transparent about how we respect and protect privacy builds and maintains trust with our workforce, customers, and users.
Transparency opens the door to trust
Being transparent – especially when we’re in unusual and evolving circumstances as we find ourselves in today – not only gives our customers and workforce the confidence to trust us, it helps us to continually learn and improve. At Cisco, we post privacy data sheets and data maps on the Cisco Trust Portal and publicly explain how our products and services process, manage, and protect personal data.
In return for this transparency, we not only meet our legal obligations, we also get crowd-sourced advice on how to do better. The general public, media, and customers have not been shy about telling us how to improve – what we can do to explain things more clearly, what questions they want answered upfront, and what information they want to see. We appreciate their guidance and incorporate their feedback – after all, they are who we are here to serve.
Today, privacy is much more than just a compliance obligation. It is a fundamental human right and business imperative that is critical to building and maintaining trust. The core privacy and ethical principles of transparency, fairness, and accountability will guide us in this new, digital-first world.