Skip to main content

Michael Becker, MEF PD&I Working Group Chair​ discusses the intersection of privacy, security, and compliance to build and maintain trust between society and industry.

For industry and society to function effectively, we need trust: “to have and maintain confidence in the honesty of another (an individual, system, service, or process) to meet their social, commercial and civic obligations.”. In the context of today’s digitally-driven society—with so many actors, systems, and processes in play with varying agendas—trust is hard to achieve, especially in light of the increasing sophistication, and losses as a result of cybercrime which according to one analyst are estimated to cost the world $10.5 Trillion annually by 2025.

To achieve trust, we must strive to align, and stay aligned, with the three personal data and identity marketplace pillars.

The Three Personal Data and Identity Marketplace Pillars

To understand the personal data and identity marketplace, it is helpful to first understand a handful of key concepts and their interplay—namely privacy, security, and compliance.

  • Privacy is a process related to an individual being in control of both their physical self (person, stewards, or property—house, cards, connected devices, etc.) and digital self (i.e., their personal data). For an individual to have privacy they must be in a position to manage all five elements of privacy (the “5 Ws”). These are: who, what, when, where, and why. “Who” refers to the entity (e.g., another individual, enterprise, government, or machine) seeking to gain access to the individual. “What” refers to what an entity is looking to access, i.e., aspects of the individual’s physical or digital self. “When” refers to the timing of the access, i.e., when and for how long will the entity have physical or digital access to elements of the individual. “Where” refers to the location where the interaction, physical connection, or personal data exchange, will take place.

This could be in the real world, via mobile, in the cloud, locally on an individual’s device, etc. “Why” refers to requesting an entity’s intention and purpose for wanting access, e.g., what they are going to do with the individual’s data (and, to maintain trust, will they ensure there are no unauthorized secondary uses of the data).

  • Security, in the context of personal data and identity, refers to the state of a system or service being free from the threat of unauthorized access and ensuring all access control policies—also known as permissions and privileges—are fully operational. To put it another way, a system or service is considered secure when only authorized individuals can access it, i.e., login, and said individuals can only access content and services in accordance with the privileges bestowed upon them by the service administrator. Note: Systems and services administrators will have layers of identity management (i.e., authorization, identification, and verification) to assure, with the appropriate level of confidence (aka risk tolerance), that an individual (or at least the credentials the individual is using to access a system) is authorized and has not been compromised.
  • Compliance refers to the act of ensuring that all activities related to the legal (both commercial and civic) and regulatory (both industry self-regulatory and government regulatory) requirements are met by all actors involved in an exchange.

Two additional terms are relevant for this discussion: governance and cybersecurity.

  • Governance refers to the effort of providing oversight on the alignment and execution of all processes and actions necessary for adhering to compliance requirements and the delivery of services.
  • Cybersecurity refers to the efforts undertaken to protect a system or service from cyber-attacks. In other words, this is the effort to protect all aspects of a system (inc., data, storage, network, devices) from unauthorized access and the compromising of the system’s access and control policies so that systems processes are not overridden, systems are not physically damaged, and data is hacked or leaked.

The figure (Figure 1: 3 Pillars of the Personal Data and Identity Marketplace) below illustrates the interplay between these three pillars.

Figure 1: 3 Pillars of the Personal Data and Identity Marketplace

Establishing and Maintaining Trust

When the three pillars of personal data and identity management are working in harmony, and continue to do so over time, all parties in a physical or digital exchange can build and maintain trust. This trust is reinforced by the interplay of the overlapping elements of the system: Faith (people have faith in systems to function properly), Ombudsman (people feel protected as there are institutions providing oversight of the systems on their behalf), and Accountability (public and private institutions are holding systems and their administrators accountable to complying to the law and regulations).

When any one of these pillars becomes unstable, trust is eroded, the marketplace becomes less efficient, and any number of harms can befall the various actors (individuals, private organizations, and public institutions).

Where Do We Go From Here?

Establishing and maintaining trust is paramount for a healthy society and economy. For the personal data and identity marketplace to continue to flourish, more is needed than what is depicted above.

First, individuals, the people, need to take more personal accountability for the flow of their identity and personal data; they should not just rely on the ombudsman and faith. They should educate themselves on both the opportunities that can be generated from actively managing their data and the risks when they do not. They should learn to enact the digital rights afforded to them by the current and impending regulations. And, they should actively adopt passive and active technologies and services to protect themselves.

The enterprise must participate in the education and support of their constituents (aka prospects, users, customers, patients, voters, etc.), to continue to fortify their systems—which will include the adoption of emerging self-sovereign identity infrastructure, i.e., technology that will be individually in control of their data.

Finally, government and non-governmental bodies must become more fluent in today’s technology and continue with their efforts to help establish policies and guidelines that support and protect the agency of the individual while supporting and stimulating innovation and local, regional, federal, international, and global market competition.

Michael Becker

Founder, CEO, Identity Praxis

  

MEF