Aligning the 3 Pillars of the Personal Data and Identity Marketplace
By Michael Becker · 3 minute read
Framing the intersection of privacy, security, and compliance to build and maintain trust.
For industry and society to function effectively, we need trust: “to have and maintain confidence in the honesty of another (an individual, system, service, or process) to meet their social, commercial and civic obligations.”. In the context of today’s digitally-driven society—with so many actors, systems, and processes in play with varying agendas—trust is hard to achieve, especially in light of the increasing sophistication, and losses as a result of cybercrime which according to one analyst are estimated to cost the world $10.5 Trillion annually by 2025.
To achieve trust, we must strive to align, and stay aligned, with the three personal data and identity marketplace pillars.
The Three Personal Data and Identity Marketplace Pillars
To understand the personal data and identity marketplace, it is helpful to first understand a handful of key concepts and their interplay—namely privacy, security, and compliance.
Privacy is a process related to an individual being in control of both their physical self (person, stewards, or property—house, cards, connected devices, etc.) and their digital self (i.e., their personal data). For an individual to have privacy they must be in a position to manage all five elements of privacy (the “5 Ws”). These are: who, what, when, where, and why. “Who” refers to the entity (e.g., another individual, enterprise, government, or machine) seeking to gain access to the individual. “What” refers to what an entity is looking to access, i.e., aspects of the individual’s physical or digital self. “When” refers to the timing of the access, i.e., when and for how long will the entity have physical or digital access to elements of the individual. “Where” refers to the location where the interaction, physical connection, or personal data exchange, will take place. This could be in the real world, via mobile, in the cloud, locally on an individual’s device, etc. “Why” refers to requesting an entity’s intention and purpose for wanting access, e.g., what they are going to do with the individual’s data (and, to maintain trust, will they ensure there are no unauthorized secondary uses of the data).
Security, in the context of personal data and identity, refers to the state of a system or service being free from the threat of unauthorized access and ensuring all access control policies—also known as permissions and privileges—are fully operational. To put it another way, a system or service is considered secure when only authorized individuals can access it, i.e., login, and said individuals can only access content and services in accordance with the privileges bestowed upon them by the service administrator. Note: Systems and services administrators will have layers of identity management (i.e., authorization, identification, and verification) to assure, with the appropriate level of confidence (aka risk tolerance), that an individual (or at least the credentials the individual is using to access a system) is authorized and has not been compromised.
Compliance refers to the act of ensuring that all activities related to the legal (both commercial and civic) and regulatory (both industry self-regulatory and government regulatory) requirements are met by all actors involved in an exchange.
Two additional terms are relevant to this discussion: governance and cybersecurity.
Governance refers to the effort of providing oversight on the alignment and execution of all processes and actions necessary for adhering to compliance requirements and the delivery of services.
Cybersecurity refers to the efforts undertaken to protect a system or service from cyber-attacks. In other words, this is the effort to protect all aspects of a system (inc., data, storage, network, devices) from unauthorized access and the compromising of the system’s access and control policies so that systems processes are not overridden, systems are not physically damaged, and data is hacked or leaked.