During the development of online systems, privacy is often an afterthought. Privacy protections are a late addition, added on to an app, program, or website only to comply with specific legal requirements or to satisfy user concerns.
Privacy by Design (PbD) is the concept that privacy should be integrated into design and development processes at the beginning, rather than as an afterthought. Privacy by Design is a legal requirement in the European Union (EU) and a long-standing best business practice.
As concerns about privacy rise in the US and around the world, it has become essential to develop systems that prioritize Privacy by Design.
1. What is Privacy by Design?
Privacy by Design is a framework developed in the 1990s by then-Ontario Information and Privacy Commissioner Ann Cavoukian. According to Cavoukian’s explanatory document on PbD, privacy must become an integral consideration to design processes, policies, procedures, and protocols.
The goal of Privacy by Design is to make privacy protection a priority equal to priorities such as advancing commerce or developing new technological innovation.
2. The 7 Core Privacy by Design Principles
The Privacy by Design framework has seven basic principles that reflect the idea that privacy protection should form part of the initial project development and not become a consideration after a breach has already occurred.
Here are the seven Privacy by Design principles:
1. Privacy must be proactive, not reactive
Anticipate and prevent events that violate privacy.
Identify systems that do a poor job of protecting privacy and take steps to correct them.
This principle reflects a high-level commitment to privacy and the establishment of ways to integrate privacy concerns into new projects.
2. Privacy must be the default setting
Systems should automatically protect privacy, even if a user does nothing.
For example, you should create user settings that are automatically set to the highest privacy level, and default to collecting the least personal information needed.
3. Privacy must be embedded in the design
Privacy should form part of a system’s architecture.
Imagine an internet service provider whose focus is on using new technology to create faster speed. This principle says that privacy is not sacrificed in order to reach those higher speeds.
4. Privacy integrations must offer full functionality, and be positive-sum (not zero-sum)
Accommodate functionality and privacy in a “win-win” manner.
Users should never have to make the choice between full functionality and privacy protection. They should have full access to features without having to give up more of their personal information.
5. Systems must offer end-to-end security and full lifecycle protection
Full lifecycle protection means you must act responsibly the entire time you’re interacting with user data, from acquisition to storage and sharing.
6. Privacy standards must offer visibility and transparency
7. Systems must prioritize user privacy
In order to fully comply with the Privacy by Design framework, your online infrastructure must comply with all seven principles.
3. Privacy by Design & GDPR
Privacy by Design has become an enforceable law in the EU as of 2018. The GDPR mandates that all data controllers implement technical and organizational measures that align with Privacy by Design.
Importantly, the GDPR is extraterritorial, which means that it applies to you if you process the personal information of EEA residents, regardless of where you’re located.
In the United States, Privacy by Design isn’t legally mandated by federal law, but it’s a recommended practice by the FTC. Companies that violate user privacy and engage in deceptive business practices may be penalized by the FTC.
4. How to Implement Privacy by Design
If you are a business or website owner in the US and target individuals in the EEA, or even monitor their activity, you need to follow Privacy by Design principles.
If you aren’t legally required to implement PbD, you should implement privacy-first practices to build trust with your users, prevent security breaches, and prepare for new and changing privacy laws.
Start complying with PbD by completing a Data Privacy Impact Assessment (DPIA). Although the GDPR only mandates DPIAs for high-risk data processing activities, they provide a useful framework for assessing how your business processes affect user privacy.
You can follow guidelines from the UK Information Commissioner’s Office to develop a DPIA. Some basic steps for creating a DPIA include:
- Identify information flows: what’s collected, why is it collected, and where does it go.
- Identify privacy risks: identify third parties that have access to user data.
- Identify and implement ways to reduce privacy risks.
After drafting a DPIA, come up with specific ways to safeguard user privacy. Here’s a Privacy by Design checklist with some actionable steps you can take to implement PbD for your business:
- Don’t ask for more information than necessary from users.
- Make personal data anonymous so it can’t be connected to a specific person.
- Provide opt-in options for users to set their data collection preferences.
- Remind users to review their privacy settings.
- Delete old data.
- Follow the Security by Design approach by automating data security controls in IT systems.
- Develop procedures to effectively detect, report, and investigate data breaches.
In order to create the best Privacy by Design framework for your business, tweak or expand on these recommendations according to the nature of your business, industry, and data practices.
When in doubt, refer back to the founding principles of Privacy by Design and ask yourself if there’s more you can do to protect the personal information of your users.