The idea of privacy by design is nothing new or exclusive to the GDPR. It had originally been developed in the 1990s by the Information and Privacy Commissioner of Ontario, Dr. Ann Cavoukian, and then gradually adopted by privacy professionals and organisations across the globe.
The beauty of the privacy by design principles is their very practical and hands-on nature instead of being a theoretical set of procedures that nobody can follow in real life. The principles were devised as a way to help protect privacy even in the modern knowledge economy where huge data flows are the norm.
The privacy by design framework consists of 7 original foundational principles that have been largely transposed into all relevant legislation. Let’s explore these principles and find out how they relate to the GDPR.
1. Proactivity and Prevention
Privacy by design approaches the issues of privacy risks in a proactive manner. The issues must be prevented before they occur, and steps should be taken to mitigate the potential risks even before they become apparent. Poor security and privacy practices must also be recognised and improved early, before they do any harm.
This requires a commitment to consistently enforce privacy standards that are required by the GDPR. This is covered by the requirement to conduct data protection impact assessments before commencing with processing operations. The responsibilities of data controllers and processors are also clearly listed and must be followed. This requires a thorough commitment for proper implementation.
2. Privacy as the Default
The principle of privacy by default mandates that the users’ data must be protected without requiring their input. Individuals should not have to do anything in order to ensure their data is safe – it should be safe by default.
This is covered in Articles 25 and 32 of the GDPR, while DPOs are tasked with ensuring these rules are adhered to. The GDPR also prominently includes the three basic elements of privacy as the default, including:
- Purpose specification – individuals must be notified what their data will be used for
- Collection limitation – collection of personal data must be lawful and transparent
- Data minimisation – as little data as possible should be collected, and only for immediate processing purposes.
3. Privacy Embedded into the Design
During the creation of technologies that will be used by companies and online services, due care must be taken to design them in such a way that privacy protection remains an integral part of the system.
Even before the systems reach the end-users, all good privacy protection measures must already be in place. Functionality for users should be unaffected by these privacy protection measures, and systems should be made in such a way that potential misconfigurations or errors do not degrade privacy. Again, this principle is mostly covered in Articles 25 and 32, along with several Recitals.
Privacy by design should be implemented in all parts of the system.
4. Full Functionality – Positive-Sum
The aim of privacy by design is to create a win-win situation for all stakeholders. The idea is that these privacy protection measures will create benefits both for the companies and for the users. Instead of a zero-sum situation, where users can only benefit at the companies’ expense and vice versa, these privacy by design measures aim to create positive net effects without making these trade-offs.
Privacy by design should not compete against design objectives and technical capabilities of the end product. Instead, it should transform the non-privacy compliant objectives in such a way that their value increases due to improved privacy and security.
5. End-to-End Security
Security and privacy of data must be ensured from the point of collection to the eventual destruction of data. At every point of the data lifecycle, it must be continuously protected and accounted for.
The GDPR is notably very prescriptive in this regard. Its many provisions on data collection, storage and destruction fully capture the spirit of this rule. The aim is to ensure there are no gaps in data security, as security is considered an essential counterpart to privacy.
Thus, the GDPR requires the use of several methods for ensuring accountability (such as record-keeping) and security (anonymization, access controls etc.).
6. Visibility and Transparency
The key to accountability (and GDPR compliance) is transparency. All stakeholders, partners and coprocessors must be vetted, audited and open to external verification. Without transparency and visibility, there is no real way to ascertain whether the privacy by design principles have been implemented properly.
Model contracts can be used to ensure accountability between data sharing partners, and all information about potential policy breaches should be communicated openly and readily.
The GDPR introduces plenty of mechanisms for ensuring transparency. In Articles 51 through 59, it establishes the concept of supervisory authorities that oversee all data processors in the entire EU. Furthermore, it establishes the European Data Protection Board and introduces stiff fines for all offenders.
7. Respect for Privacy
The best way to achieve great result in implementing privacy by design features is to create products with end-users in mind. They should be designed to meet the users’ needs and include simple possibilities for them to control and oversee how their data is processed.
The GDPR demands that individuals’ rights be respected by requiring their consent before their data will be used, giving them access to their data at all times, and allowing for easy consent withdrawal.
It’s easy to see that proper implementation of privacy by design principles puts companies on the right track to compliance. In fact, most of the GDPR, in essence, is about introducing privacy by design to all companies and organisations processing EU data. Once companies adopt these principles, all that’s left are rather simple administrative measures that will further guarantee compliance.
