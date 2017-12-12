Engineering for Privacy Requires Standards
Common sense guidelines and standards are needed to help engineers create products that respect privacy and give users the rights to their own data.
Companies across all industries are dealing with the General Data Protection Regulation (GDPR), which comes into force in May, giving enhanced privacy protection to personal data. The related EU-wide Payment Service Directive 2 (PSD2) will open up customer transactions and data to third parties with appropriate consent.
Methods and common practices to meet these requirements are not established yet, a potential roadblock for product developers. The Kantara Initiative is working to address this challenge with its recently launched Consent Management Solutions Work Group.
iWelcome and digi.me, pioneers in what’s called the consent market, are leading the work group’s efforts to provide a guideline document around privacy policies. They eventually hope to craft standards with a certification program.
Regulations mandate consent must be explicit and informed. The question is though how to do that in a way that works for individuals.
A recent iWelcome survey on the adoption of GDPR throughout Europe found that only 20 percent of respondents are on the right track. The vast majority--80 percent of respondents—said they are just starting or have not yet started becoming GDPR-compliant.
The Kantara group aims to review best practices and thoughts on the issues to derive standards that can fill the gaps. All outputs from the work group will be non-proprietary and designed to help people meet the new regulations around personal identity and privacy information.
New consent and privacy-aware techniques may open up new job opportunities. Some expect an explosion in demand for such expertise.
The GDPR applies to employees as well as end users. Engineers and their companies will need to deploy consent management solutions and best practices for internal use, as well as for services they sell.
Companies must ensure contracts state the purpose of collecting and processing personal data, who the data will be shared with, for what reason and for how long. Firms will need to know where personal data is held, who is processing it and ask for employee consent for these purposes.
As our identities and personal data become primarily digital, they will become a recognized currency with real value to both consumers and businesses. Engineers and their companies have a real opportunity to capitalize on this digital transformation, but they will need to know and implement clear guidelines.
Colin Wallis is the executive director of the Kantara Initiative.