Privacy by design and GDPR
The General Data Protection Regulation (GDPR) is a complex and heavily enforced privacy law that protects the personal data of European Union data subjects. While many focus their GDPR compliance efforts on updating Privacy Policies, responding to data subject requests and standard contractual clauses, there is one element that is often overlooked - privacy by design.
Privacy by design requires the integration of privacy into the development and creation of new devices, systems and operations and integrates with GDPR Article 25 compliance.
In this article, we will discuss the concept of privacy by design, what it is and what requirements it imposes, how this concept relates to GDPR and the seven foundational principles of privacy by design.
What is privacy by design?
Privacy by design is a framework based on proactively embedding privacy into the design and operation of IT systems, network infrastructure, and business practices. Originally developed by Ann Cavoukian, the formed Information and Privacy Commissioner of Canada, the framework signifies that privacy requirements should be considered starting in design, through the entire data lifecycle.
The privacy by design framework includes the following seven foundational principles:
- Proactive, not reactive; preventative, not remedial. Privacy by design anticipates and prevents breaches before they happen;
- Privacy as the default. Personal data is automatically protected so users do not have to take additional actions to preserve their privacy;
- Privacy embedded into design. Privacy must be an essential component of the core functionality, not an add-on;
- Full functionality; positive-sum, not zero-sum. There should be trade-offs between privacy and functionality;
- End-to-end security. Full lifecycle protection. The framework extends security throughout the entire lifecycle of personal data, ensuring that strong measures are implemented from start to finish;
- Visibility and transparency. You should be clear to users and providers about the level of security and privacy that you provide; and
- Respect for user privacy: keep it user-centric. You should respect users by offering them measures such as strong privacy defaults, appropriate notices, and user-friendly privacy options.
Privacy by design and GDPR
While following privacy by design principles is by far the most efficient way to integrate best privacy and security practices into your organization, what does the framework have to do with GDPR compliance? GDPR Article 25 discusses data protection by design and default and includes the following requirements:
- Implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles; and
- Implement appropriate technical and organisational measures for ensuring that, by default, only the personal data which are necessary for each specific purpose of the processing are processed.
Following the privacy by design framework will aid you in meeting the requirements of GDPR stated above.
Implementing privacy by design
Unlike some other compliance tasks, implementing privacy by design is an ongoing effort that encompasses many projects and departments. If you are considering implementing this concept into your work and organisation, you should follow these guidelines from the European Data Protection Supervisor:
- Define a methodology to integrate privacy and data protection requirements as part of projects that concern the processing of personal data;
- Identify and implement adequate technical and organisational measures to protect personal data; and
- Integrate the support of privacy in the management and governance framework of your organisation, by identifying tasks and defining and allocating resources and responsibilities.
Privacy by design is a cornerstone of any responsible privacy management program and can help you in your quest for GDPR compliance, reducing incidents and complaints. Therefore, implementing this concept should be a priority for compliance departments.