Privacy by Design and by Default Under GDPR

Privacy by Design is not a new concept that the General Data Protection Regulation (GDPR) introduced. It was indeed created and developed by Ann Cavoukian, the former Information & Privacy Commissioner of Ontario, Canada.

Privacy by design means protecting data through technology at the beginning of the processing. It encompasses a) IT systems; b) accountable business practices; and c) physical design and networked infrastructure. An organization should embed privacy and security in every step of the system design. Cavoukian introduced the seven foundation principles of Privacy by Design:

1. Proactive, not Reactive; Preventative not Remedial: it states that privacy by design aims to take all the preventive measures to deal with privacy violations before they happen.
2. Privacy as the Default Setting: the users need not take any preventive measures to protect their data as privacy and security are already implemented in the system by default.
3. Privacy Embedded into Design: privacy and security are embedded in the design of a project and thus becomes an integral part of the system.
4. Full Functionality — Positive-Sum, not Zero-Sum: Privacy does not have to interfere with other legitimate interests, design objectives, and technical capabilities, and it can be done in a way that full functionality of the system is achieved.
5. End-to-End Security — Full Lifecycle Protection: Security must be ensured throughout the lifecycle of the personal data. It includes methods of secure destruction, proper encryption, and strong access methods.
6. Visibility and Transparency — Keep it Open: The processing should remain visible and transparent and per the regulation in place. The controllers should be accountable and verify that the procedures are compliant with privacy policies.
7. Respect for User Privacy — Keep it User-Centric: Ensure users’ privacy is the top priority, and to make sure that, implementing the following:

a) obtaining explicit consent from them;

b) keeping up to date and accurate data;

c) allowing access to personal data;

d) informing the users of their rights; and

e) complying with privacy protection regulations.

This principle also suggests making the system as user-friendly as possible.

This article discusses the concept of privacy by design and default and their requirements under the GDPR.

GDPR made privacy by design a legal requirement and renamed it as ‘data protection by design and default.’ According to ICO, data protection by design and default means “appropriate technical and organizational measures to implement the data protection principles and safeguard individual rights.” It states that you should integrate data protection from the designing stage of processing activities. Article 25 of GDPR lists the requirements for data protection by design and default.

Let’s look at what your organization requires to do to execute these concepts.

Data Protection by Design

Per Article 25(1), an organization should consider aspects like nature, scope, the purpose of the processing, and analyze the severity of risks involved in processing the personal data. Then they should integrate the appropriate measures, such as the following:

Pseudonymization: a technique of processing data in a manner that the personal data can no longer identify a particular person without additional data.

Encryption: a mathematical technique of converting data into codes that only authorized users can access.

Anonymization: a technique of removing personally identifiable information from the data so that it cannot be associated with a person.

You should ensure that any processing activity involving personal data is done with data protection and privacy in mind. The privacy should be built in a system from the inception throughout the life cycle of the process. Integrate data protection in your organization practices and adopt the seven principles as discussed earlier to meet the privacy by design requirements.

Data Protection by Default

Per Article 25(2), your organization should carry out the following GDPR principles to make sure that personal data are kept safe and not subjected to unauthorized use or access by default:

Data minimization: Collect only the data necessary for the intended use.

Purpose limitation: Collect or process data only for the specified purpose.

Storage limitation: Do not store data longer than necessary for the intended purpose.

Data Protection Impact Assessment (DPIA) is a risk assessment process that helps in determining the potential risks that may arise while handling personal data. It helps you in formulating the appropriate measures to tackle such threats and implement data protection early on in the processing stage.

Read more about the significance of DPIA here.

Here is a checklist by the ICO to see if you meet the privacy by design obligations:

The concept was introduced (or re-introduced) in the GDPR for organizations to treat personal data with care and safety. They make processing activity safe and more efficient. If your organization safeguards the data of people, it will not only minimize the risk of a data breach and GDPR fines but also earn the people’s trust and reputation.