The General Data Protection Regulation (GDPR) introduced several changes to how organizations think about data protection, one of which is the legal enshrinement of Privacy by Design (PbD) in Article 25.
But what does Privacy by Design mean, why does the GDPR require it, and how can you implement it?
Keep reading to find out!
What Is Privacy by Design?
Privacy by Design (PbD) is the concept that privacy should be built into systems and processes from the outset, rather than as an afterthought or add-on, to protect user privacy and prevent massive data breaches.
It was first proposed in the 1990s by Ann Cavoukian, former Privacy Commissioner of Ontario, and has since become accepted as a best practice supported by data protection authorities around the world.
Incorporating PbD into systems and processes in the early stages of your project (as well as throughout its lifecycle) offers major benefits:
- It can prevent data breaches by proactively building privacy safeguards into systems that mitigate the risk of data breaches.
- It can help ensure that you comply with legal and regulatory requirements.
- It helps you demonstrate your commitment to protecting customers’ privacy, which leads to building customer confidence.
Implementing PbD requires embedding data privacy in your company’s culture.
You can achieve this by raising awareness of and prioritizing data privacy issues, and integrating data privacy into the design phase of product or service development and addressing it at every stage of the process.
Privacy By Design and the GDPR
The GDPR applies to any processing of personal data where the controller or the data subject (the person to whom the data relates) is established in the EU or where the processing physically takes place in an EU country.
It contains two sets of requirements, referred to as “data protection by design” and “data protection by default,” both of which are a clear implementation of PbD.
Article 25 states that:
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
What “at the time of determining the means for processing” means is that you must take data protection into account when you develop your systems and procedures for collecting and processing data, not once you have it.
The GDPR is no longer the only data protection law containing PbD principles.
The Personal Information Protection and Electronic Documents Act (PIPEDA) in Canada requires companies to have an employee accountable for data processing, limit the data collected, and implement procedures to destroy data no longer needed.
Furthermore, newly enacted laws in Brazil, India, and Switzerland also include “built-in data protection” within them.
The 7 Fundamental Privacy By Design Principles
The concept of PbD is based on seven principles that can help you make better data security decisions. These principles are:
1. Proactive Not Reactive; Preventative Not Remedial
PbD begins with recognizing the value and benefits of proactive, early, and consistent implementation of privacy practices.
The first principle argues that privacy must be at the beginning of the planning process. Before designing a system and process for handling data, you must figure out the privacy risks posed by handling the data, decide what steps are needed to minimize or eliminate those risks, and build them into the system.
If your security practice is simply responding to breaches when they happen, you are being reactive.
In short: Don’t wait for privacy risks to occur; prevent them.
2. Privacy as the Default Setting
According to the second principle, privacy must come first in everything you do, and you can maximize it by ensuring that personal data is automatically protected.
You can achieve this by limiting data sharing, developing systems to identify and collect the minimum amount and scope of data you need, and deleting or anonymizing data you no longer need. It also means using opt-in and opt-out features and protections for consumer data.
For example, if you are planning to use a third-party data analytics tool to better understand the effectiveness of your marketing campaigns and this tool collects your website visitos’ device information, you should turn this off by default. In this way, you will comply with data minimization principle and will not collect this data until you obtain consent.
You should provide the highest level of privacy protection to consumers, lower the data security risk profile and take practical steps to reduce the possibility of data breaches.
3. Privacy Embedded Into Design
The third principle is about baking privacy into design, development and implementation of a product, process or system from the beginning. You must embed privacy in the design of IT systems and business practices, and companies should use encryption and authentication and regularly test vulnerabilities.
For example, when you sign up for a new customer relationship management platform to store and process customer personal data, you need to have processes and controls in place to ensure that this new tool will handle personal data in compliance with privacy laws.
This principle is a reminder to consider privacy a core function of the product and to build it into your systems from the beginning as an integral part of the core functionality — without compromising functionality.
4. Full Functionality – Positive-sum, Not Zero-sum
The fourth principle of PbD addresses all legitimate interests and objectives in a positive-sum “win-win” manner rather than through a zero-sum approach with unnecessary compromises.
You shouldn’t view data privacy as a trade-off against other interests. You can have privacy, revenue, and growth — no need to sacrifice one for the others!
Embedding privacy in a particular technology, process, or system should be done in a way that doesn’t compromise functionality and optimizes all requirements.
5. End-to-End Security – Full Lifecycle Protection
According to the fifth principle, data must be secure at every stage, from collection to use to disclosure and destruction.
Encryption and authentication are the standards at every stage, but you need to go further at other stages. For example, you should only collect data that you need and for which you have a legal basis.
Furthermore, you must use a range of security measures, including physical, electronic, and organizational restrictions.
For example, transfer of personal data to third parties may present security risks because cyber attackers may attempt to intercept communications to gain unauthorized access to data. One risk factor is the transfer of data through insecure public networks. Organizations can establish and apply internal policies and controls to ensure that all employees transfer data only using specific devices and over secure company networks.
Additionally, you need to use GDPR-compliant erasure/destruction methods for end-to-end protection when you are disposing of data.
Remember, privacy follows data wherever it goes.
6. Visibility and Transparency – Keep It Open
Collecting personal data comes with a duty of care.
Visibility and transparency are essential to creating accountability and trust. Therefore, your data subjects should know about and disclose your data protection (and processing) practices, and information should be open and easy to understand.
7. Respect for User Privacy – Keep It User-centric
The last principle states that everything must remain focused on the user.
It asserts that data held by an organization ultimately belongs to the consumer and organizations should ensure that data subjects are properly informed about how their data is collected and used.
For example, when you rely on consent to process individual data, you should be fair to individuals, provide them with sufficient information in an easy-to-understand manner and should not try to trick them into giving consent.
Imagine that when users sign up for a free webinar on your website platform and fill out a form, they agree to sharing of their data with data brokers because there is a hard-to-see pre-ticked box at the end of the sign-up form. This would be an unfair practice that exploits users. Furthermore, you should also enable individuals to exercise their privacy rights set out in various privacy laws such as right of access and rights to deletion.
Empowering data subjects to play an active role in managing their own data may be the most effective control against privacy and personal data misuse.
Who Needs To Consider Privacy by Design?
PbD is especially important if you are a data controller that falls within the scope of the GDPR. The GDPR requires that data protection features be adequate and appropriate for both the processes you use and the data you collect.
Article 25(2) explicitly states:
The controller should implement appropriate technical and organizational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.
Aside from GDPR implications, PbD is now considered a best practice for all organizations that process data.
The implementation of Privacy by Design principles shows that you recognize the value of personal data, and that privacy and personal control over data is a freedom you want to preserve.
By approaching data protection from a design perspective, you can ensure that it is an integral part of your operations, and you can future-proof your organization from both a customer and legal perspective.
Are you ready to implement PbD? Great!
As outlined above, the key is to build privacy into your data collection and processing procedures and systems rather than adding it later.
In addition, you must equip your systems with standard procedures that minimize data collection and processing, thereby reducing the risk of unintentional data breaches.