A relatively recent rapid innovation in the field of information technologies and services and the ever-growing system complexity exposed severe risks to our privacy.
The main question is how to balance the benefits of innovation against our right to control how our personal data is being used?
Privacy by design tries to answer that question by approaching that innovation from a design-thinking point of view.
The origin of Privacy by design
Maybe you were introduced to the term privacy by design when the General Data Protection Regulation (GDPR) prescribed the implementation of technical and organizational measures designed with data protection principles in mind.
However, privacy by design is a concept coined long ago by Ann Cavoukian, former Information and Privacy Commissioner of Ontario, to address the ever-growing and systemic effects of Information and Communication Technologies on our privacy.
As Ann pointed out, “Privacy by Design advances the view that the future of privacy cannot be assured solely by compliance with regulatory frameworks; rather, privacy assurance must ideally become an organization’s default mode of operation.”
Privacy by design in the GDPR
Privacy by design means that privacy is already integrated into technology, IT systems, services, and products to ensure data protection. Basically, the entire engineering process is conducted with privacy in mind.
GDPR incorporated privacy by design by assigning the controller the responsibility to implement appropriate technical and organizational measures into the design and operation of systems and infrastructure.
Those measures are designed to effectively implement data-protection principles and integrate the necessary safeguards into the processing to meet the regulatory requirements and protect the rights of data subjects.
7 principles of Privacy by design
As technologies rapidly evolve, innovation needs to be approached with privacy in mind, incorporating it into technology and systems. There are seven principles of Privacy by design:
1. Proactive not Reactive; Preventative not Remedial
Privacy by design does not deal with the consequences of privacy risks and does not provide remedies.
Incorporating privacy by design implies taking proactive and preventive measures before any privacy risk even occurs.
This means your organization will have to:
- Demonstrate a strong and clear commitment at the highest level, often higher than the standards set out by laws and regulations
- Show commitment to privacy that is shared throughout the entire organization and with the key stakeholders
- Define methods that will help you recognize poor privacy designs and prevent negative effects before they occur in an innovative and systematic way
2. Privacy as a default setting
Privacy as a default setting means that no action is required on the individual’s part to protect their privacy – also known as Privacy by Default.
Privacy is built into the system and protects personal data by default. This especially includes purpose specification, collection limitation, data retention periods, data minimization, and disclosure limitation, among others.
- Purpose Specification – communicate the purposes for collecting, using, retaining, and disclosing personal data before the information is collected or at the time of collection.
- Collection Limitation –limit the collection of personal data to what is necessary for the specified purposes.
- Data Minimization − keep the collection of personal data to a strict minimum. The design of programs, technologies, and systems should always start with non-identifiable interactions and transactions as the default. Therefore, minimize the identifiability, observability, and linkability of personal information.
- Use, Retention, and Disclosure Limitation – Limit the use, retention, and disclosure of personal data to relevant purposes for which the individual consented (except where otherwise required by law).
3. Privacy Embedded into Design
Privacy embedded into design means that privacy is the essential component of the functionality or the technology that is being delivered.
- Adopt a systemic and principled approach to embedding privacy that relies on frameworks and standards which can be adjusted and upgraded through audits and external reviews.
- Carry out privacy impact and risk assessments whenever you can and document privacy risks and all measures taken to mitigate those risks.
- Minimize the impact of technology, your operations, or IT architecture.
4. Positive-Sum, not Zero-Sum
- Embed privacy into the design of technology, system, or processes to the greatest extent possible without impairing their functionality.
- Privacy by design rejects a zero-sum manner and competing with other legitimate interests, objectives, and technical capabilities. Privacy by design embraces legitimate non-privacy objectives and accommodates them in an innovative positive-sum manner.
- Document all interests and objectives, define desired functions, applied metrics, and trade-offs rejected as unnecessary, in favor of finding a solution that enables multi-functionality.
5. End-to-End Security – Full Data Lifecycle Protection
Privacy and Security go hand in hand. Securing data from the collection point to complete data deletion is essential to maintaining privacy.
- Security − Privacy by design ensures a secure personal data lifecycle. Therefore, privacy needs to be maintained through each phase of the data processing.
- Security standards must assure the confidentiality, integrity, and availability of personal data throughout its lifecycle, including data deletion, appropriate encryption, access control, and logging methods.
6. Visibility and Transparency
Privacy by design assures that the business practice or technology involved is operating according to set out goals and objectives and is subject to independent verification.
Technology components, parts, and operations should remain visible and transparent to both users and providers. Special emphasis is placed on Fair Information Practices, which include accountability, openness, transparency, and compliance.
- Accountability – when collecting personal data you are also obligated to ensure its protection. All activities related to privacy procedures and policies should be documented and assigned to a specific individual.
- Openness and transparency – all relevant information about personal data management, your policies, and procedures should be available to the individuals.
- Compliance – establish complaint and redress mechanisms and communicate information to individuals, including how to access the next level of appeal. Monitor and evaluate compliance with privacy policies and procedures.
7. Respect User Privacy- Keep it User-Centric
The interests and needs of individuals should be at the center of Privacy by design. Best results are achieved when individuals can have an active role in the management of their own personal data. Individual’s privacy is supported by:
- Consent – the individual gives consent for the processing of personal data for one or more specific purposes. It can be withdrawn later and represents only one (out of six )lawful basis for processing personal data.
- Accuracy – a principle that dictates personal data needs to be kept up to date. It needs to be accurate and complete.
- Access – allows individuals to access information about personal data the organization is processing about them.
- Compliance – Organizations need to communicate information about personal data processing and give out directions on how to lodge a complaint and the next level of appeal.
How can organizations implement Privacy by Design?
As it usually goes with GDPR, it only prescribes Privacy by design, but it doesn’t describe technical steps organizations can take to comply.
Until there is no certification that will allow organizations to demonstrate compliance with Article 25 and Privacy by design, organizations will have to take multiple factors into account when implementing appropriate technical and organizational measures, including:
- the scope, nature, context, and purposes of processing
- risks to rights and freedoms of individuals
- minimization of the amount of personal data they are processing
- encryption and pseudonymization
- allowing individuals to manage their consent and preferences and give them greater control over their personal data
- mapping out where the organization stores personal data, labeling personal data, and enabling easy search
- setting up the data deletion and data retention schedule
- allowing data portability by structuring personal data in a machine-readable and commonly used format
When going through this article, you might find yourself thinking that privacy by design applies only during the planning and execution of new technologies, systems, or products.
However, privacy by design should also be embedded into the ongoing operations to enable organizations to fully tackle GDPR compliance and ensure effective personal data management.
During the design and development stage, you should create with privacy in mind and develop products that have a built-in ability to manage and fulfill all GDPR-related obligations.
However, for ongoing processes, privacy solutions and platforms can close this gap and help you augment privacy by design for systems, technologies, and processes that were designed or implemented before GDPR was in full effect and can therefore lack privacy dimension.
Privacy solutions can help you define data retention and data deletion schedules, it can help you map out where your data is, you can raise risks, and manage data subject requests, among other things.
This article is based on Privacy by Design: The 7 Foundational Principles – Implementation and Mapping of Fair Information Practices by Ann Cavoukian.