What is “privacy by design” and why is it important?
Privacy by design (PbD) is an engineering and managerial approach taken when creating new technologies and systems. The term speaks for itself – with PbD you incorporate privacy measures at the design stage, so no matter the purpose of the system, it will always protect privacy by default. In that way privacy becomes not only a feature but a part of the system.
The underlying idea behind PbD is that controllers and processors should take in advance the effective technological and organizational measures that ensure personal data is automatically protected, rather than rely on retroactive measures for compliance.
Why should you implement PbD?
Well, first, you might be obliged to. According to Article 25 of the GDPR controllers should implement appropriate technical and organizational measures “both at the time of the determination of the means for processing and at the time of the processing itself”.
Second, and more important, with an optimal initial investment PbD allows you to:
- maximize security and prevent costly data breaches, and
- gain customer trust and reputation.
PbD is a win-win approach for both your company and your customers.
Understanding PbD: the principles
Different people have tried to pin down the underlying principles behind PbD but among them Ann Cavoukian, Ph.D., is the undisputed leader. According to her, the 7 principles of PbD are:
- Proactive not Reactive; Preventative not Remedial: you should anticipate and prevent data breaches before they happen. Just like in medicine – prevention is always more effective and less expensive than treatment.
Example: You make a Data Protection Impact Assessment for your digital marketing and you find that processing data about subjects’ sexual preferences poses higher risks than benefits. You should immediately exclude that data from the targeting process.
- Privacy as the Default: users rarely change the default settings, everyone knows that. That’s why you should ensure that personal data is automatically protected, and the system is created to be secure. Ensuring your customers’ privacy is your responsibility, not theirs.
Example: When storing information in data bases, make encryption the default setting. Only system administrators should be able to make changes.
- Privacy Embedded into Design: systems should be designed in a way that prevents their proper functioning unless the privacy requirements are met. Moreover, if you embed privacy into the design, rather than trying to add it on later, the system will run better.
Example: Before you send a marketing email, the system checks if you have the necessary consent. If not – the system shows an error message and refuses to send the email.
- Full Functionality: trade-offs shouldn’t be made to accommodate either privacy or functionality. Your customers’ interests should be balanced with the legitimate interests of the business.
Example: You measure your managers’ success based on their sales and for that purpose you process invoices. However, you don’t need the customers’ personal data – if you pseudominimize it, you can still have full functionality without unnecessary processing.
- End-to-End Security —you should make sure that information is secure and protected throughout the entire data lifecycle: that’s the data (1) entry into the system, (2) retention period, and (3) destruction.
Example: Personal data could be retrieved from old hard disks that are no longer in use. You should use hard disks that automatically delete data after a set time period.
- Visibility and Transparency – if you are open about your system, and the level of security it provides, you create trust and hold your organization accountable. Users and other parties should be able to know exactly how their data is processed and protected.
Example: Instead of having lengthy Terms and Conditions and Privacy Policies that nobody reads, try making a short video or an infographic explaining their main points.
- User focus: when making your processing analysis you should adopt the user point of view. In other words, that’s customer focus in relation to data protection. Try to determine what will be negative consequences for your customers if their data is not securely protected.
Example: A dating site makes a Data Protection Impact Assessment about data breach risks regardless the non-compliance fines and finds that additional measures are needed given the sensitivity of the information.
What are the differences between PbD and Data Protection by Design?
If you’re from the US, you probably didn’t expect there to be any differences. That’s because US law doesn’t distinguish “privacy” from “data protection”. EU law, however, does.
In Europe “privacy” should be understood in the context of Article 7 of the Charter of Fundamental Rights of the European Union (CFREU) – the right for private and family life. “Protection of personal data” is a separate right under Article 8 of the CFREU in connection to the secure processing of EU citizens’ data.
How do the two terms relate in the GDPR?
These differences between the two rights are reflected in the GDPR. Therefore, “privacy by design” is the principle – the broad concept of technological measures for ensuring privacy. “Data protection by design”, on the other hand, are the specific legal obligations in relation to data processing established by Article 25 of the GDPR.
The obligations set out in Article 25 incorporate all seven PbD principles, reflecting the connection between the two terms. Data protection by design, however, is based on a negative approach – controllers should incorporate the appropriate technological and organizational measures so long as that’s necessary for risk prevention.
Privacy by design, on the other hand, offers a positive approach that not only ensures regulatory compliance, but incorporates ethical aspects as well. PbD as a principle calls for respect for the citizens’ privacy and gives them control over the processing of their data.
Implementing PbD: the strategies
The principles of PbD outline only the broad framework for designing modern information systems. The implementation of these principles into the specific technological architecture of the system, however, requires specific strategies.
- Minimize – provide more targeted protection on less data. To do that, you need a business analysis at the earliest possible stage of information system design so that you can determine how your business needs can be met with the least amount of data. Remember that data carries potential for profit but also generates costs and potential risk.
Example: An online store’s estimates that it is not justified to collect data of underage customers – this group is a potential segment but the risk of collecting such sensitive data is too great. Instead, they create a “parent” segment and target parents with children goods.
- Hide – “hide” personal data in such a way that either access to it is restricted or it is impossible to read by unauthorized persons.
Example: The payment operator obliges all its employees to use a hard drive encryption program so that even when losing or stealing business laptops, the risk of sensitive information leaking is low.
- Divide – avoid linking different databases either physically or logically – associated data carries a greater risk to the individual. You can either isolate data processing in different locations or allocate the data in separate databases or tables in the same database.
Example: A major bank decides to centralize all personal data it stores in a single central database with very high security level. Different departments only process data within their own systems, identifying individuals with special unique numbers. The link between the person and the number is contained only in the central database.
- Use abstraction – limit the amount and degree of detail of personal data by collecting or processing aggregated data instead of individual-level data. To do that you could summarize statistical characteristics and group individuals into specific categories.
Example: Online media maintains analytical information about the traffic to your website. Every two weeks, you review the number of unique sessions, their average length, number of likes on each article, etc. The unit of analysis, however, is the article (not personal data), not the user (personal data).
- Inform – provide sufficiently detailed and clear information for the purpose of processing. Allow users to make an informed decision whether they want to provide their personal data.
Example: The cloud provider creates a video explaining to its customers how data encryption technologies work in their product and what other security measures have been put in place to ensure the security of stored personal data.
- Control – give subjects maximum control over their personal data. In that way you can build trust with your customers while generating value from their personal information.
Example: The profile of a person on a social network has an “Edit” button that allows the user to add data, delete data, or update it.
- Impose – control, maintain and apply a set of policies, procedures and instructions that document the actual processes that need to be followed in order to maintain a high level of information security and data protection.
Example: Every 12 months, a major bank reviews all its data protection processes and procedures against a predefined set of metrics. If goals haven’t been met, measures are taken to address them. New tasks receive a deadline, a responsible employee, and resources.
- Demonstrate – monitor and create a trail and evidence of the various personal data processing activities. You can achieve that by introducing and a logging system for all the actions, storage and analysis of the generated logs.
Example: A card payment operator hires external consultants to analyze the information management system and identify potential gaps. The results are presented to the Board of Directors who prioritize the recommended measures and authorize the necessary budget for their implementation.
You can download the e-book version of the guide. ➤