privacy-chain

Privacy by design: How small tech can lead the way

51Degrees

11/11/2020 5:00 PM

Privacy Data Device Data

Keep your eyes open, take care, and you’ll find that privacy doesn’t have to be difficult.

In today’s digital world, privacy can’t be an afterthought. Yet for smaller tech businesses, privacy compliance can seem, at best, an inconvenient overhead and, at worst, an impossible mission.

Wherever you stand, we’re here to let you in on some good news: it is possible. Don’t play in the grey areas and hope nobody will bring it up. Keep your eyes open, take care, and you’ll find that privacy doesn’t have to be difficult.

privacy-design

GDPR: A help, not a headache

Back in 2017, we made a big decision: to create a new kind of one-stop-shop for real-time data services – Pipeline API. To better serve the needs of a changing digital industry, we expanded our focus beyond device detection to incorporate other microservices, including GPS-based geolocation (reverse geocoding).

With these additional technologies, personal data privacy is a fundamental issue. Just like a search engine requires data from user search queries to function better, our real-time data services rely on building large data sets to perform accurately and continuously improve. As a smaller player, we can’t (and wouldn’t) employ the same “privileges” as the Googles of the world when it comes to capturing data from users. Which got us thinking: in this day and age, what’s the best way for small tech to go about data sharing?

Fortunately, at this time, the General Data Protection Regulation (GDPR) was on its way in. As a UK-based company, we fully committed ourselves to comply with these laws. The timing meant that we were able to implement privacy by design at the heart of our new data services platform.

So, where did we start? Well, this time, it wasn’t with the engineering – but with data privacy.

It’s not just the data – it’s how you use it

Under GDPR, a data-based business falls into one of two categories: a “processor” or a “controller”.

As a processor, you use data only as others direct: you take data in, do something with it (like look up a location), send the result back again, and store nothing along the way. If, on the other hand, you use the data for purposes beyond processing it for others, then you are, by definition, a controller. And with this great power comes great (legal) responsibility towards people and their privacy.

Doing everything in our power to preserve privacy, we’ve designed this into our standard contracts by recognizing that we are “joint controllers” with our customers. It means that we, with our customers, have a transparent arrangement and shared obligations under the GDPR.

For many of our services we do not receive personal data. But sometimes we do. As joint controllers, who we are and how we use a person’s data – such as an IP address or latitude and longitude – is all out in the open. This strengthens the chain of data privacy between us, our customers, and their end users.

privacy-chain

But IP addresses aren’t personal data… are they?

Actually, yes – often, they can be. And, frankly, whoever said “it’s not personal – just business” would do well to catch up on some GDPR bedtime reading.

Again, it all depends on context. A public IP address of a WiFi hotspot in a coffee shop, for example, doesn’t relate to an individual. So, it’s not considered personal data under the GDPR. Nor is a User Agent or HTTP header related to a device model, operating system, or browser version. However, an IP address associated with someone’s house, where they’re the only resident? Or location data that’s derived from an IP address? They’re pseudonymous identifiers – proxies for an individual. Under the GDPR interpretations, that’s personal data – and we treat it as such.

personal-data

IP blindness is a hot topic within the Google Privacy Sandbox debate. As a member of W3C, we’re actively involved in the standards and conversations shaping the future of digital services. Whether small tech or big, we all must be part of the solutions. We all must develop ways to use these features of the web responsibly – not perpetuate the misinformed stereotypes that threaten to cause harm in the name of progress.

As third-party cookies crumble away, IP targeting may have an important role to play – but only if managed respectfully. People need to be informed about what their IP address is being used for. Otherwise, it’s just as creepy as using cookies – perhaps even creepier, because IP data is harder for people to opt out of or reset.

The bottom line is: if you’re using IP data to construct a pseudonymous identifier that falls outside the “legitimate interest” grounds for processing under the GDPR, then you need to inform these people and get their consent. Of course, the same goes for directly identifiable personal data, like a name or address. As joint controllers by default in our click wrap contracts, we’ve designed future-proof systems and contracts to responsibly support both scenarios.

Putting privacy into practice

So, what does joint control under the GDPR look like for our customers and their end users? Well, for starters, customers who use our services match their privacy policy with our privacy policy.

This explains the joint controller arrangement to the people who use their service. They know about 51Degrees and how we will use their data. It also provides a clear process for individuals to exercise their rights to privacy.

Let’s take an IP address, for example. An individual can contact us to explain, through the privacy policy, that their IP address was provided to us. After getting proof of their identity and their association with that IP address, we’ll remove that IP address from use within 14 days.

With our ISO 9001 and ISO/IEC 27001 standards, we’ve gone above and beyond to embed quality and information security in our business. This includes policies and procedures that standardize the way we take on board complaints or feedback. With the GDPR constantly evolving, we’re always ready to listen to suggestions about how we might do things better.

iso

It’s important to say that our customers don’t have to be joint controllers with us – we have bespoke contract options when that’s the case. But here’s a fun fact: many companies out there are already joint controllers without realizing it. And (you guessed it) many of these are undoubtedly falling foul of the GDPR privacy law.

Take the humble Facebook “Like” button, for example. Popping it on your website couldn’t be easier. But did you know that the mere displaying of it is sharing personal data with Facebook? According to the ECJ, following the Fashion ID ruling, that makes you a joint controller with Facebook – subject to all the same obligations we’ve talked about here. Interesting.

You won’t find a Facebook “Like” button on our website. That’s because our commitment to privacy runs through everything we do. We don’t track people across the web, but only use server-side tracking to monitor traffic within the four walls of our website.

If you fancy playing detective for five minutes, there’s a great real-time website privacy inspector tool called Blacklight. Run 51Degrees through the ringer and you’ll see that we’re not playing games when it comes to privacy. And while you’re there, why not see how your company and other service provider websites are doing? Warning: you might be shocked by what you find.

A virtuous circle

As a freemium, open source company, we’re big fans of open data. That’s why we give back to the digital business community with generous, four-tier data subscriptions – starting for free. All the data we gather (with permission) goes straight into improving services that make the digital world more rewarding for everyone.

virtuous-circle

For small-tech players like us that rely on data sharing to improve products and compete with the biggies, we believe joint control under the GDPR is the best way forward. It’s another way to show how we, as a data industry, are designing a better web with privacy at the heart.