The General Data Protection Regulation (GDPR) has changed European privacy rules significantly. The introduction of the concept of ‘Privacy by Design’ (PbD) is one of these changes but many organisations have struggled to understand what it entails. For those that have adopted PbD correctly, the burden of GDPR compliance can greatly decrease while also having the potential to achieve operational as well as commercial gains.
What is Privacy by Design?
PbD is a requirement placed on organisations that must comply with the GDPR. The specific requirement is detailed in Article 25 of the Regulation. PbD holds that organisations must consider privacy at the initial design stages and throughout the entire development process of new products, processes or services that involve processing personal data. This means that privacy is considered at the earliest of stages and reduces the risk of privacy being an after-thought; bolted onto a system or product at a later stage. While this may initially seem complex, it is in fact easier to implement than applying privacy considerations after a design is fully developed.
What are the origins of Privacy by Design?
Although PbD has become a new legal requirement under the GDPR, the concept is not new. It originated in Canada in the mid-’90s and was developed by Dr. Ann Cavoukian, a recognised leading privacy expert who held the position of Information and Privacy Commissioner Ontario for three terms. In October 2010, regulators at the International Conference of Data Protection Authorities and Privacy Commissioners unanimously passed a resolution recognising Privacy by Design as an essential component of fundamental privacy protection. It is touched upon in many well-known frameworks such as OWASP and NIST. However many of the current frameworks have come in for much criticism. It became a legal requirement in Europe through the introduction of the GDPR.
Why should organisations focus on Privacy by Design?
Privacy by Design promotes a privacy-conscious culture within an organisation. If done correctly, it embeds privacy thinking into many aspects of an organisation’s operations. Further, as it focusses on early privacy considerations and checks prior to new products, systems, and processes being released, it greatly decreases the risk of non-compliance with the GDPR. It therefore enables a sustainable GDPR/Privacy compliant environment as an organisation evolves.
From an operational perspective, a strong Privacy by Design framework can present efficiencies and reduce costs. Consciously considering and planning for the personal data you want to use, the purpose for which you want to use it and how to do this legitimately greatly reduces the chance of discovering at a later stage that embedding privacy is technologically challenging, expensive or even impossible. The application of Privacy by Design can therefore make the development process more efficient. Knowing what data you want to use at an early stage and being confident in its usage can also make it easier to be transparent to those data subjects. And transparency is critical when it comes to earning the trust to collect the data in the first place
Implementing a robust framework can also present commercial advantages. Many global organisations have already sought publicity by demonstrating how their products deal specifically with user Privacy by Design. This is especially evident with several large technology companies. It therefore is seen as an enhancement to a brand and a key element in building trust with an ever-increasing privacy-conscious public. The ability to innovate and adopt disruptive technologies is also made easier for organisations as there is less ‘compliance uncertainty’ on whether such technologies can be used in the manner the organisation wishes.
How should an organisation implement Privacy by Design?
While frameworks exist that cover Privacy by Design, many of the frameworks are inadequate and are too rigid for real benefits to be realised. The key to implementing Privacy by Design is adopting privacy to the business and not forcing a boiler plate framework into the business. Privacy by Design is optimally implemented when privacy measures are designed based on the specific ways of working within an organisation. The approach to achieving an efficient Privacy by Design implementation consists of three steps:
Think of ethics, not just compliance
Many cases have been publically aired where personal data has been used perfectly in line with the rules, but far outside societal and ethical norms. In a PbD process, measures can be built-in that aim at detecting cases like these. For instance, to what extent an idea or initiative may be considered unethical can be found by asking a number of questions that can be built into your PbD toolkit –
Where the answers to these types of questions point towards an attitude of trying to hide the idea from the public eye or not wanting to be part of the data processing, these are indications that the idea is unethical and may need to be redesigned.
Privacy by Design – a fixed asset in all good privacy compliance regimes
PbD is an integral to ensuring compliance with data privacy legislation for numerous reasons. Firstly, because effective PbD involves seeking independent testing of privacy and security controls, it helps to maintain best practices. PbD builds your brand by fostering greater consumer confidence and trust (through, for example, allowing post-breach incidents to better managed) and in turn supports organisations in their quest for a competitive advantage. In a reactive approach, the costs are much greater such as through class-action lawsuits, the damage to reputation and loss of consumer confidence and trust.
*PETs = “Privacy-Enhancing Technologies”
The article first appeared in Accountancy Ireland.