Privacy by design (PbD) is a systems engineering technique that aims to preserve people’s privacy by factoring in privacy considerations from the outset of the development of products, services, business processes, and physical infrastructures. In comparison, in a different procedure, privacy considerations are not considered until right before launch.
Background :
PbD was created by Ann Cavoukian and formalised in a joint study on privacy-enhancing technology published in 1995 by a joint team of the Ontario Information and Privacy Commissioner, the Dutch Data Protection Authority, and the Netherlands Organization for Applied Scientific Research.
In 2009, the International Assembly of Privacy Commissioners and Data Protection Authorities presented the privacy by design framework, which was later endorsed by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by design means that privacy must be considered throughout the engineering process. The concept is an example of value-sensitive design, which is described as taking human values into account in a well-defined manner across the entire process, and it may have come from this.
Privacy by Design Principles
The underlying concepts of PbD are expressed in the seven ‘foundational principles’ of privacy by design, as developed by the Information and Privacy Commissioner of Ontario.
- ‘Proactive not reactive; preventative not remedial’: You should take a proactive approach to data protection and anticipate privacy issues and risks before they happen, instead of waiting until after the fact. This doesn’t just apply in the context of systems design — it involves developing a culture of ‘privacy awareness’ across your organization.
- ‘Privacy as the default setting’: You should design any system, service, product, and/or business practice to protect personal data automatically. With privacy built into the system, the individual does not have to take any steps to protect their data — their privacy remains intact without them having to do anything.
- ‘Privacy embedded into design’: Embed data protection into the design of any systems, services, products and business practices. You should ensure data protection forms part of the core functions of any system or service — essentially, it becomes integral to these systems and services.
- ‘Full functionality — positive sum, not zero sum’: Also referred to as ‘win-win’, this principle is essentially about avoiding trade-offs, such the belief that in any system or service it is only possible to have privacy or security, not privacy and security. Instead, you should look to incorporate all legitimate objectives whilst ensuring you comply with your obligations.
- ``End-to-end security — full lifecycle protection ”: Put in place strong security measures from the beginning, and extend this security throughout the ‘data lifecycle’ — i.e. process the data securely and then destroy it securely when you no longer need it.
- ‘Visibility and transparency — keep it open’: Ensure that whatever business practice or technology you use operates according to its premises and objectives, and is independently verifiable. It is also about ensuring visibility and transparency to individuals, such as making sure they know what data you process and for what purpose(s) you process it.
- ‘Respect for user privacy — keep it user-centric’: Keep the interest of individuals paramount in the design and implementation of any system or service, e.g. by offering strong privacy defaults, providing individuals with controls, and ensuring appropriate notice is given.
Art. 25 GDPR: Data protection by design and by default
- Taking into account the state of the art, the cost of implementation, the nature, scope, context, and purposes of processing, as well as the risks of varying likelihood and severity for natural persons’ rights and freedoms posed by the processing, the controller shall implement appropriate technical and organisational measures, such as pseudonymisation, both at the time of determining the means for processing and at the time of the processing itself.
- The controller shall take reasonable technological and organisational steps to ensure that only personal data essential for each specified processing purpose is handled by default. 2This responsibility applies to the quantity of personal data gathered, the scope of processing, the storage time, and the accessibility of such data. 3In particular, such measures must ensure that, by default, personal data are not made accessible to an indefinite number of natural persons without the individual’s intervention.
- An approved certification mechanism pursuant to Article 42 may be used to certify conformity with the standards outlined in this Article’s paragraphs 1 and 2.
How should an organization implement PbD?
The first step in putting PbD into practice is to establish the company’s informational privacy policy. These policies serve as the framework for determining privacy requirements and designing privacy safeguards by operations and development teams.
It is strongly advised to choose someone or a group of people to be in charge of reviewing and implementing privacy regulations. The privacy team must be included in design decisions and evaluations in a meaningful way.
It’s critical to assess privacy measures in products, services, and programmes on a regular basis. If third-party content is included in an organization’s products or services (for example, by integrating a third-party mobile SDK into an app), the third-party content must be reviewed for privacy implications.
Conclusion
Companies should adopt a Privacy by Design culture in response to user demand for data protection and privacy rights.
Companies that gather personal data have a legal obligation to keep it safe and secure while adhering to all applicable regulations. However, given the tremendous value consumers place on their data, businesses should provide further assurance by using Privacy by Design. Companies can better assure privacy and provide customers more control over their data if they implement Privacy by Design as their default operating conditions.
Even firms with the best intentions to use Privacy by Design may find it difficult to fully apply it. Change is almost impossible to keep up with as a result of innovation. New systems are becoming increasingly complicated.
