Privacy by Design – The Key to Protecting User Data

Pal Kienitz
December 20th 2018
Posted In: Business, Cyber Security

The balance between innovative technology and data privacy has become increasingly difficult to manage – especially as the software we use on a daily basis is getting smarter. The more personal data our applications use, the more concerned we become about our data privacy. So how can we continue to invest in smart software applications that make life easier, without compromising on data privacy? Well, we can find a large part of the answer in the concept of ‘privacy by design’.

The Personalised Experience

Personalised services and products have enhanced our lives in many ways. We enjoy more tailored user experiences, we connect better with the outside world, and we even trust our technology to help us remember – and predict – important life events. However, as service providers, we must ensure that we don’t gamble with user privacy in order to deliver the benefits of these tailored solutions.

Data Privacy by Design

If your customers trust your brand or your product, they will generally trust in your ability to safely manage the data they give you. But when it comes to delivering on that trust, data privacy mustn’t be an afterthought. It needs to be built into every stage of your product development. This is why Privacy by Design has become such an important factor.
Privacy by Design is built on a framework of 7 principles, issued by the Information and Privacy Commissioner of Ontario in 1995 and revised in 2011. These principles are the key elements of designing solutions using data privacy best practice.

1. Be Proactive

Data privacy should always be preventative rather than reactive or remedial. This means that you plan and prepare for privacy invasion before it happens. Rather than addressing situations as they appear – or when they have already taken place – Privacy by Design uses a process for risk analysis and mitigation to prevent the system from being exposed to risk in the first place.

2. Treat Data Privacy as the Default

Data privacy should never rely on the user. Privacy by Design strives to build maximum privacy into the basic functionality of the system, which means that there is automatic protection in place at all times. This should never require the individual taking any specific action to protect themselves – it must be provided by default.

3. Embed Privacy into Design

Privacy must not be treated as a nice-to-have or an add-on. It should be embedded into the very design and structure of its processes. This allows privacy to become an integrated feature, as critical as any other software design element. Privacy should also be achieved without reducing or lowering the level of functionality offered.

4. Deliver Full Functionality

Privacy by Design strives to achieve a solution that not only delivers privacy protection, but does so while still delivering excellent user experience and benefit. In other words, the solution should deliver full value to the user without compromising on their privacy. This approach encourages the creation of solutions that don’t simply exclude features where it may be difficult to achieve data privacy. Instead, it puts pressure on developers to find solutions that deliver the same or better value while protecting the user’s privacy.

5. Deliver Full Lifecycle Protection

By incorporating data privacy into every stage of the development of a solution, you will be able to ensure that the system is designed to securely collect, use, retain and destroy user data in alignment with data protection regulations. This creates the foundation for safe end-to-end handling of user information without having to weld together various data management processes.

6. Keep it Transparent

Visibility is a key element of Privacy by Design. The business must be confident that they maintain the right level of privacy, and they can get that assurance by using transparent checkpoints and verification throughout the development journey. This allows everyone to trust that the end result will safely manage any personal information.

7. Focus on the user

At every single level, the business must prioritise the needs of the user and a respect for their privacy. After all, this is what will determine whether you can successfully market and manage the solution. With a backbone of best practice across the entire development process, you and your customers can be confident that privacy is securely built into the very structure of the system.

Best Practice is Best

Data privacy best practice should sit at the very heart of every development project. As we add more customised functionality that relies on user data, we must be increasingly aware of not just regulatory requirements but also real, tangible risk to the user in case of a data breach. However, by incorporating these fundamental building blocks to our development projects, we can help users trust in how applications and websites use their information.

Cookie	Duration	Description
__hssrc	session	This cookie is set by Hubspot whenever it changes the session cookie. The __hssrc cookie set to 1 indicates that the user has restarted the browser, and if the cookie does not exist, it is assumed to be a new session.
AWSALBCORS	7 days	This cookie is managed by Amazon Web Services and is used for load balancing.
cookielawinfo-checkbox-advertisement	1 year	Set by the GDPR Cookie Consent plugin, this cookie is used to record the user consent for the cookies in the "Advertisement" category .
cookielawinfo-checkbox-analytics	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Analytics".
cookielawinfo-checkbox-functional	11 months	The cookie is set by GDPR cookie consent to record the user consent for the cookies in the category "Functional".
cookielawinfo-checkbox-necessary	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-others	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Other.
cookielawinfo-checkbox-performance	11 months	This cookie is set by GDPR Cookie Consent plugin. The cookie is used to store the user consent for the cookies in the category "Performance".
CookieLawInfoConsent	1 year	Records the default button state of the corresponding category & the status of CCPA. It works only in coordination with the primary cookie.
JSESSIONID	session	The JSESSIONID cookie is used by New Relic to store a session identifier so that New Relic can monitor session counts for an application.
viewed_cookie_policy	11 months	The cookie is set by the GDPR Cookie Consent plugin and is used to store whether or not user has consented to the use of cookies. It does not store any personal data.

Cookie	Duration	Description
__cf_bm	30 minutes	This cookie, set by Cloudflare, is used to support Cloudflare Bot Management.
__hssc	30 minutes	HubSpot sets this cookie to keep track of sessions and to determine if HubSpot should increment the session number and timestamps in the __hstc cookie.
aqcamp	1 month	This cookie is used to customize the application behavior to user preferences.
bcookie	2 years	LinkedIn sets this cookie from LinkedIn share buttons and ad tags to recognize browser ID.
bscookie	2 years	LinkedIn sets this cookie to store performed actions on the website.
lang	session	LinkedIn sets this cookie to remember a user's language setting.
lidc	1 day	LinkedIn sets the lidc cookie to facilitate data center selection.
messagesUtk	1 year 24 days	HubSpot sets this cookie to recognize visitors who chat via the chatflows tool.
UserMatchHistory	1 month	LinkedIn sets this cookie for LinkedIn Ads ID syncing.
vuid	2 years	Vimeo installs this cookie to collect tracking information by setting a unique ID to embed videos to the website.

Cookie	Duration	Description
_gaexp	1 month 10 days 11 hours	Google Analytics installs this cookie to determine a user's inclusion in an experiment and the expiry of experiments a user has been included in.
_uetsid	1 day	Bing Ads sets this cookie to engage with a user that has previously visited the website.
_uetvid	1 year 24 days	Bing Ads sets this cookie to engage with a user that has previously visited the website.
ADRUM_BTa	past	This cookie is used to optimize the visitor experience on the website by detecting errors on the website and share the information to support staff.
AWSALB	7 days	AWSALB is an application load balancer cookie set by Amazon Web Services to map the session to the target.

Cookie	Duration	Description
__hstc	1 year 24 days	This is the main cookie set by Hubspot, for tracking visitors. It contains the domain, initial timestamp (first visit), last timestamp (last visit), current timestamp (this visit), and session number (increments for each subsequent session).
_ga	2 years	The _ga cookie, installed by Google Analytics, calculates visitor, session and campaign data and also keeps track of site usage for the site's analytics report. The cookie stores information anonymously and assigns a randomly generated number to recognize unique visitors.
_ga_CNWWV4VG3L	2 years	This cookie is installed by Google Analytics.
_gat_UA-3669062-1	1 minute	A variation of the _gat cookie set by Google Analytics and Google Tag Manager to allow website owners to track visitor behaviour and measure site performance. The pattern element in the name contains the unique identity number of the account or website it relates to.
_gcl_au	3 months	Provided by Google Tag Manager to experiment advertisement efficiency of websites using their services.
_gid	1 day	Installed by Google Analytics, _gid cookie stores information on how visitors use a website, while also creating an analytics report of the website's performance. Some of the data that are collected include the number of visitors, their source, and the pages they visit anonymously.
_hjAbsoluteSessionInProgress	30 minutes	Hotjar sets this cookie to detect the first pageview session of a user. This is a True/False flag set by the cookie.
_hjFirstSeen	30 minutes	Hotjar sets this cookie to identify a new user’s first session. It stores a true/false value, indicating whether it was the first time Hotjar saw this user.
_hjIncludedInPageviewSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's pageview limit.
_hjIncludedInSessionSample	2 minutes	Hotjar sets this cookie to know whether a user is included in the data sampling defined by the site's daily session limit.
_hjTLDTest	session	To determine the most generic cookie path that has to be used instead of the page hostname, Hotjar sets the _hjTLDTest cookie to store different URL substring alternatives until it fails.
ajs_anonymous_id	20 years	This cookie is set by Segment to count the number of people who visit a certain site by tracking if they have visited before.
ajs_user_id	never	This cookie is set by Segment to help track visitor usage, events, target marketing, and also measure application performance and stability.
CONSENT	2 years	YouTube sets this cookie via embedded youtube-videos and registers anonymous statistical data.
hubspotutk	1 year 24 days	HubSpot sets this cookie to keep track of the visitors to the website. This cookie is passed to HubSpot on form submission and used when deduplicating contacts.

Cookie	Duration	Description
_fbp	3 months	This cookie is set by Facebook to display advertisements when either on Facebook or on a digital platform powered by Facebook advertising, after visiting the website.
_opt_expid	past	Set by Google Analytics, this cookie is created when running a redirect experiment. It stores the experiment ID, the variant ID and the referrer to the page that is being redirected.
fr	3 months	Facebook sets this cookie to show relevant advertisements to users by tracking user behaviour across the web, on sites that have Facebook pixel or Facebook social plugin.
IDE	1 year 24 days	Google DoubleClick IDE cookies are used to store information about how the user uses the website to present them with relevant ads and according to the user profile.
MUID	1 year 24 days	Bing sets this cookie to recognize unique web browsers visiting Microsoft sites. This cookie is used for advertising, site analytics, and other operations.
test_cookie	15 minutes	The test_cookie is set by doubleclick.net and is used to determine if the user's browser supports cookies.
VISITOR_INFO1_LIVE	5 months 27 days	A cookie set by YouTube to measure bandwidth that determines whether the user gets the new or old player interface.
YSC	session	YSC cookie is set by Youtube and is used to track the views of embedded videos on Youtube pages.
yt-remote-connected-devices	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt-remote-device-id	never	YouTube sets this cookie to store the video preferences of the user using embedded YouTube video.
yt.innertube::nextId	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.
yt.innertube::requests	never	This cookie, set by YouTube, registers a unique ID to store data on what videos from YouTube the user has seen.