Privacy By Design: What It Is And How It's Important For The GDPR?
Working with data protection can be quite overwhelming and confusing. Since the introduction of the GDPR, things got even more complex. In this blog post, I discuss a way of thinking that might make it a bit easier to coordinate your efforts around privacy and data protection and the GDPR, called privacy by design. After reading this, you should have a general idea of what privacy by design is, how it relates to the GDPR, and how it can help even the smallest businesses elevate their privacy and data protection.
Table of content
- What is Privacy by Design?
- Why bother with privacy by design?
- Privacy by design in the GDPR?
- Getting Started with privacy by design
- The 7 Foundational Principles of Privacy by Design
- Concrete actions for Implementing privacy by design
- Formalised management commitment to privacy and data protection
- In Conclusion
What is privacy by design?
Privacy by design was at first only used in software and systems development. There it means that privacy measures are built into the design of systems. This way, privacy and data protection are core functionalities of the system, in addition to what the system was designed to do in the first place.
We can easily translate this from software development to a broader context, like your business. For your business, it means that for any new process or activity, data protection and privacy should be considered from the very early planning stages. In other words, thinking of privacy when designing new processes = privacy by design.
The idea is that protecting the data and privacy of your customers should be a goal you always strive towards equally as much as your business goals. By employing privacy by design, the data and privacy of your customers is always protected and the control over this data always remains with the customer, who can withdraw consent at any time.
Designing your systems and processes in this way might seem unnecessary at first, but it brings many advantages. Contrary to what the name implies, you can work towards privacy by design in your business with small steps and experience the benefits rather quickly. It’s not necessary to radically overhaul everything you do at once!
Some advantages include:
It simply makes data protection in your organisation stronger and thus data breaches less likely. Data breaches can lead to great monetary losses.
You show to your customers that you understand the value of their privacy and that you take good care to use their data responsibly, in turn building a more trusting relationship.
It is a good way to future-proof your business. We can almost certainly expect regulatory, but also consumer pressure for strong privacy controls to increase in the future. Starting right now with designing your business to be privacy-aware prevents you from being forced to implement more radical and costly changes in the future when the timing may not be optimal.
Cyber security threats change constantly and fast. By building a strong data protection foundation into your systems and processes you minimise the time and resources you need to spend on reacting to ever-changing data and privacy risks.
Privacy by design is part of the GDPR and thus implementing privacy by design can be a great help towards complying with GDPR.
Based on the concept of privacy by design, Article 25 of the GDPR introduces “data protection by design” and “data protection by default”. Below, I explain both concepts with short excerpts from Article 25. Read the full article here.
Data protection by default is described as:
“by default, only personal data which are necessary for each specific purpose of the processing are processed”
“by default, personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”
In other words: organisations should minimise data collection to the strictly necessary data that is needed to fulfil their purpose. If a user takes no action, their data should still be protected, their privacy still guaranteed.
Example – cookie notice
Imagine the usual cookie notice. Many of us ignore it or simply click it away as fast as possible. If data protection is the default, this should mean that only the strictly necessary cookies are active. A user taking no action means that the default situation (maximum data protection) should not be changed. More cookies should only be activated when the user explicitly consents to them. However, some websites automatically activate all cookies. Clicking away the cookie notice means accepting all third-party cookies. This is not data protection by default.
Data protection by design is described as “integrating the necessary safeguards into the processing”. In other words, any data protection measures and safeguards must be baked into the data processing system by design.
Data protection by design and by default are legal obligations under the GDPR. Failing to implement them means violating the GDPR. However, right now we can observe that not many GDPR fines for not implementing privacy by design have been issued, indicating that privacy by design is not strictly enforced.
This does not mean that you should not care though. As previously said, working on privacy by design brings many advantages to your business, and your local data protection authorities could always decide to start enforcing it more strictly. So how do you get started with privacy by design?
“appropriate technical and organisational measures”
Unfortunately, Article 25 is quite brief, and beyond “appropriate technical and organisational measures” and two examples (pseudonymisation and data minimisation), it doesn’t offer much guidance on what exactly “appropriate measures” would be.
Luckily, any measures you already have towards improving your data protection are likely also contributing to privacy by design. We also already underlined that taking small steps towards privacy by design is perfectly reasonably and the best way forward for most businesses, so there’s no reason to get discouraged or intimidated.
We already tried once before to shed light on what “appropriate measures” could be by looking at previously issued GDPR fines.
For more concrete guidance, we can look back to the original concept of privacy by design. It was first put into writing in 2009 by Ann Cavoukian, then the Information & Privacy Commissioner of Ontario, Canada. She developed the 7 Foundational Principles of Privacy by Design.
The 7 principles are:
Proactive not Reactive; Preventative not Remedial
Privacy as the Default Setting
Privacy Embedded into Design
Full Functionality – Positive-Sum, not Zero-Sum
End-to-End Security – Full Lifecycle Protection
Visibility and Transparency – Keep it Open
Respect for User Privacy – Keep it User-Centric
We’ll discuss each of them briefly below, each time connecting them with some first steps towards “appropriate technical and organisational measures”.
The first principle sets out the general mindset you should maintain throughout all the principles. Data protection and privacy should come up at the beginning of the planning process for any new initiatives in your business.
You should always aim to prevent privacy problems and data breaches, rather than react to them as they happen.
One way of doing this is performing a periodic risk analysis where you identify potential privacy and data risks and their impacts to your business. You can then take data protection measures before any negative impacts happen, essentially preventing them.
We developed a useful risk analysis template that can help you to get started with proactively identifying risks in your organisation.
Any IT system or process in your organisation must be designed so that privacy and data are automatically protected. If an individual customer takes no action, the minimal amount of data should be collected on them, and their privacy should remain protected (think back to the cookie notice example).
Simply put, the default state in your business should be collecting no data whatsoever. However, we all know that it would be very hard to run your business then. Some data collection is therefore justified, as long as it has a clear purpose.
You should carefully consider what kinds of data you need to meet your business goals. When collecting this data, make sure to:
Only collect data you need. Any other data collection should be strictly opt-in
Delete the data you no longer use or need
What this principle is saying is that privacy and security should be just as important as whatever business goals you are trying to achieve when designing new processes or activities.
Another way to think about this is to view a discovered security vulnerability in the same way as a design flaw. You wouldn’t simply patch a design flaw that compromises your bottom line. As a result, when thinking of data protection as something that’s equally important as your bottom line, you also wouldn’t simply patch a security vulnerability. You should go back to the drawing board and design your process or system so that such a vulnerability is not possible in the first place.
This relates to what we discussed above: privacy and security should be just as important as your business goals. This means that it makes no sense to add-on security measures after designing a new process. This would make security feel more like an afterthought. The result is that the security measures can be quite annoying, and that people might try to work around them because it would be more efficient than complying.
This principle tries to prevent that. The point here is that privacy should not be something that takes away from other objectives, like efficiency or functionality.
By working with privacy and security from the start, the idea is that such false dilemmas can be overcome to create a win-win situation – privacy and efficiency, privacy and functionality.
How can you do this concretely though? The idea would be that the person or team responsible for data protection is more closely involved in design activities so that they can more easily align with the business goals of a system or process.
So instead of designing a workflow and then handing it off to, for example, the IT department to check if it is secure enough, try working more collaboratively with someone from IT from the start.
This principle again explicitly covers some things we already know. Data protection measures are implemented proactively before the first piece of information is collected, and are maintained throughout the entire data lifecycle, until the data are timely and securely destroyed at the end of the process.
When working with (personal) data, it is often a good idea to think in terms of data lifecycle management. In short, this enables you to consider how your data is used throughout the different phases of its “life”, including data creation, storage, processing, archival, and destruction.
What this basically means is that data protection should be the default at every stage of the lifecycle. So, for instance security measures like encryption, authentication, logging, etc., should be used at every stage.
Taking this together with the previous principles, means that:
Only strictly necessary data are collected, each time with a clearly communicated purpose.
The data is kept for the strictly minimal amount of time needed to fulfil the purpose.
The data is stored and processed securely through e.g., encryption, strong access control, and logging methods.
The data is securely destroyed as soon as it is no longer necessary to fulfil the purpose.
This principle is quite straightforward. You should be open and transparent to the people you collect data from, including what data is collected, for what purposes, how it is processed, and how protection is ensured. People should also be clearly informed about their rights and possibilities to ask questions, file complaints, or have their data deleted.
This last principle is here just to remind us of the main thing we are trying to do here: treating our customers’ data and privacy with respect.
Therefore, it is a good idea to always try to keep the interest of the individual user in mind when designing your systems and practices for data processing. Design them in a clear, user-friendly way that provides users with strong privacy defaults, appropriate notice, and a clear overview of their collected data.
In short, designing your systems and practices in such a way to empower users to actively manage their own data, or at least be aware of their data.
It also means knowing that the user always remains the owner of their data. In the end, your business is just borrowing your customers’ data. They should be able withdraw their consent for this at any time.
This comes back to what we discussed earlier: show to your customers that you understand the value of their privacy and that you take care to use their data responsibly. Show them they can trust you.
I hope you now have a deeper understanding of what privacy by design and data protection by design/default are trying to achieve, and why it is a good idea to gradually start using this way of thinking in your business too.
Keep in mind here that no one expects you to be a privacy by design expert from the start. It should be clear now that a lot can be achieved through relatively small steps and actions. So even just working with one or a few of the measures below can contribute a lot to privacy protection in your business. There are of course also many more actions than just the ones we discuss here.
More explicitly involving privacy and data protection in e.g., your organisation’s mission statement, values, and internal policies. Formalising this commitment is the first step towards living it. One part of this is writing a clear information security policy and acceptable use policy. We developed guides and templates for both.
This could for example be a data protection officer (DPO). It is then also important to clearly communicate who this is and how they can be contacted, both to your staff and to your customers and partners.
Providing customers with an easy-to-find place where they can manage all their privacy and data controls, in a clear and user-friendly way. Too often, privacy and data settings can be quite hard to find or are spread out in different settings menus.
Being transparent in your data collection and processing means that for each piece of information that you collect, you should clearly document and communicate your purpose and legal grounds, and by which people or processes the data will be processed.
User-centric and user-friendly design also means avoiding dark patterns. E.g., your cookie notice should have a clearly marked ‘decline’ option that is equal to the ‘accept’ option. You should not be manipulating people into handing over more data than they would willingly consent to.
Implementing measures to prevent your staff from using the data for anything else than the documented purpose, or from not following data protection guidelines. These could include training in practices like data minimisation, pseudonymisation, and anonymisation; or technical security measures like access controls, encryption, and logging methods.
The idea is that both data protection and business goals can be achieved without one negatively impacting the other. This can be achieved by encouraging both teams to work together from the start of projects and ensuring that they get equal input.
Performing data protection impact assessments (DPIA) for major processes and projects. Again, it’s important to involve multiple perspectives here so that the DPIA does not prevent achieving business goals.
Monitoring privacy and cyber security risks in your processes and activities frequently, and for all stages in the data lifecycle: collection, storage, processing, and destruction. Threats to privacy and data change constantly. It’s important that you set up a framework where, e.g., the risk analysis is performed periodically.
Your team is equally important in achieving strong privacy by design
Implementing data protection by design and by default through these 7 principles naturally involves quite a bit of technical measures in your IT systems and architecture. However, as you’ve probably noticed, an organisation’s business practices and processes themselves are equally important in ensuring that privacy remains the default throughout the data lifecycle.
But then, it is your team who is probably the most important in ensuring strong data protection. Your team needs to be aware of what personal data are, what common data protection risks are, what the general rules concerning handling personal data are, and so on.
Your team needs this awareness and knowledge so that they can understand why your business processes and systems are designed in this privacy by design way. So that they understand, for example, why they can only store customer data in the designated system or location, and not in their own undisclosed spreadsheets.
In short: staff awareness is a big part of data protection by design and by default. Unaware staff will undoubtedly process data in ways that might not be optimal for privacy.
A good way to get your staff to think in a user-centric, privacy-first way, is to conduct security awareness training. We discussed staff training previously as one of the concrete actions contributing to privacy by design.
Awareness training is designed for exactly this purpose: making people aware of risks, rules, procedures, and more.
Take for instance the first Privacy by Design principle: proactive not reactive; preventative not remedial. Proactively identifying risks and developing appropriate measures and safeguards also involves making your staff aware of these risks and training them in how to respond to them.
Similarly, security vulnerabilities are often thought of as technical issues, but a lack of awareness that leads to a team member clicking a phishing link is a security vulnerability just as much.
Getting started with awareness training is easier than you might think.
While the GDPR’s reasoning and guidance for data protection by design and by default is brief and quite vague, it is not difficult to see how these concepts are easily in line with what the GDPR is trying to achieve overall: giving individual users more control over their data.
Using the privacy by design principles in your organisation not only brings you well on your way to complying with the GDPR, but it also helps in building a trusting and open relationship with your customers and partners. And where’s the harm in that?
The Schrems II case makes it impossible for US organisations to use the so-called Privacy Shield framework. This will affect how organisations share data.
Data minimisation is a principle that states you should not keep data for longer than needed. Here's what you need to know.
You will receive inspiration, tools and stories about good cyber security practice directly in your inbox. Our newsletter is sent out approximately once a month.