Privacy by Design & Privacy by Default
Ever since the General Data Protection Regulation (GDPR) went live, it has introduced many changes to the European privacy rules significantly. The introduction of the concepts ‘Privacy by Design’ and ‘Privacy by Default’ are two of these changes. Although new as a legal requirement under the GDPR, these concepts are not new. Considering privacy from the start of the development process is a no-brainer to successfully address privacy issues and making sure it’s in compliance with GDPR or any other law involving privacy.
What is Privacy by Design
Privacy by Design is dictated that organizations need to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data. Pretty self explanatory.
What is Privacy by Default
Privacy by Default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones possible and not set up to get all the data available.
The Basic Understanding
Under the current Directive, data controllers should already be implementing the appropriate technical and organizational measures to protect data against unauthorized processing. GDPR requires organizations to consider privacy at the earliest stage. Privacy must be one of the ingredients of a new product or service, rather than a condiment that is added at the end. This might seem tricky, but it is actually easier than applying privacy considerations after a product/service is fully developed (like laying down pipes and wiring before building the walls and flooring to a building). When you think upfront about what personal data you want to use, for what purpose and how you will do this legitimately, it reduces the chance that you discover at a later stage that embedding privacy is technologically challenging, expensive or even near impossible.
Therefore, making the development process more efficient--using the application of Privacy by Design will make things run more smoothly in the long run. That’s why knowing what data you want to use, and giving data subjects a choice on how their data is used by applying Privacy by Default, will also make it easier to be transparent towards those data subjects. Needless to say, transparency is key when it comes to earning the trust to collect the data in the first place.
Put bluntly, following Privacy by Design and Privacy by Default is just a good idea and best practice in the overall scheme of things. That is why many organizations have already incorporated these concepts into their development processes.
So Where Do You Start?
So you’re all in now, so where to start?
In order to embed privacy in the design process several things must be taken into account.
1. Be Accountable and Operate within Legal Boundaries
Under the GDPR, organizations will not only be responsible for adhering to privacy principles, they must be able to demonstrate compliance with them too. A privacy strategy is essential to make choices early in the development process regarding how you want to deal with privacy within your new service or product. A good instrument for doing this is carrying out a Privacy Impact Assessment (PIA). A PIA will help you identify privacy risks within your new design. That said, don’t confuse PIA (Privacy Impact Assessment) and DPIA (Data Protection Impact Assessment). PIA is all about analyzing how an entity collects, uses, shares, and maintains personally identifiable information, related to existing risks. DPIA is all about identifying and minimizing risks associated with the processing of personal data.
2. Stay Mindful of Best Ethical Practice
The ethical aspects of the concept must also be taken into consideration early on. An organization should determine how transparent it wants to be on its data processing and how much it wants to know about data subjects involved. A good rule of thumb question is: would you use the product or service yourself? If yes, then you’re on the right track. If no, well, you can see you’ll need to improve.
3. Remember that Transparent Communication is Key
Transparent communication towards data subjects is very important to address at the initial design stages and throughout the complete development process. Communication lines must be clear, also when something goes wrong. For data subjects it must be clear where they can go to or contact if they want to know more about the processing of their personal data and how they can exercise their rights.
4. Keep Focus On Data Security
This has probably been said relentlessly in your research, but of course it is important to think about adequate security measures put into place and that the right policies and procedures should be in place for data security.
5. Maintain the Quality of Data
There also should be assurances that the quality of the data collected is guaranteed. No one wants the wrong information on themselves to be out there unless intentional--such as providing the wrong birth date, because they don’t want you to collect their actual data on them.
6. Make a Plan for the Retirement of the Product or Service
What you might not have seen, but is being put into practice is the explanation on what will happen to your data if the company’s product or service is retired. Typically, if this is happening on account of them going out of business, the data should be deleted/erased. If it is happening, because of a new product/service taking its place or there is a merger between two companies, the data will just be transferred securely to the new company or product/service--unless otherwise stated in the policy on privacy that is agreed upon between the original company and the data subject.
Successful implementation of both Privacy by Design and Privacy by Default requires that employees - especially those involved in the development of new products and services - have enough basic knowledge on privacy. Straightforward policies, guidelines and work instructions related to data protection should be developed and a privacy specialist should be available to assist in applying these requirements. This will enable the development teams to take appropriate measures in the relevant phases during the building process of the product/service. When a design has been completed, it must be adopted by the organization and monitored throughout its lifetime.Privacy by Design and by Default: Good or Bad?
Requiring Privacy by Design and by Default is in no doubt the formalization of a good idea/best practice. The GDPR aims to give data subjects more power over their personal data. Implementing Privacy by Design and Privacy by Default clearly reflects that. Offering the most privacy-friendly option as a default setting will give people an actual say over which parts of their personal data can be used (not to mention help those button mashers, who go to quickly through the consent forms and not bother to stop and read what it is they are agreeing to. Later, only to regret not stopping and reading the consent form). Hopefully this will be reflected in other data privacy endeavors in other countries outside the EU.