What is data protection by design exactly?
GDPR mandates the consideration of the impact of any processing activities when developing a new product, technology or service should be taken into account and from the beginning and throughout the life cycle of the product. Security and privacy measures should be integrated into the project, rather than an afterthought in a post design “checkbox” exercise. Companies and organisations who acted quickly and proactively to implement the new regulatory requirement, are in pole position to ensure their products and services are compliant for the new, world GDPR era.
The origins of data protection by design and it’s seven principles
The concept of data protection by design is far from a new concept, with some of the initial discussion and considerations for the topic extending back as far as the 1970’s. What is new is the fact that Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) now mandates organisations to take privacy by design into account from the conception of a new product, technology or service (Article 25), rather than on a self regulatory basis as it was under the previous regime of Directive 95/46/EC (recital 46). The shift from a recital to a fully-fledged article, imposing a legal obligation is a positive step forward for data protection as a whole.
The modern version of data protection by design (and default) can be traced back to seven principles of privacy by design,
Proactive not reactive, preventative not remedial
Being proactive means that data privacy risk should be foreseen, be at the centre of planning and mitigated before they can manifest rather than rectified on a reactive basis. This ancillary benefit of this type of approach is potential protection from public exposure of data privacy issues which could cause reputational harm (e.g., Marriott Hotel Group breach From the initial conception design of developing a new product, technology or service, organisations should begin to plan the implementation of data-protection-enhancing measures
- A clear commitment, at the highest levels, to set and enforce high standards of privacy − generally
higher than the standards set out by global laws and regulation.
- A privacy commitment that is demonstrably shared throughout by user communities and stakeholders,
in a culture of continuous improvement.
- Established methods to recognise poor privacy designs, anticipate poor privacy practices and
outcomes, and correct any negative impacts, well before they occur in proactive, systematic, and
Privacy as the default
The highest settings of privacy should be enabled by default for the user when they utilise any system or access any service or system. This means that if the user does nothing to change the standard settings, their protection remains full. This guarantees that no action is required on the part of the user to protect their privacy.
Privacy by default also expands to data retention periods: personal data should only be kept and stored as long as it is necessary for the operation of the product or service, and this often translates into creating the mandated data retention schedule and the design and testing of processes for the operation of executing retention periods. Products, technologies and services should by default protect individuals’ data to the maximum, even if organisations may still want to include options where the data subject can disable these measures. Presenting data subjects with choice over what happens with their data is the cornerstone of any new data protection administration within a forward thinking organisation.
- Purpose Specification – the purposes for which personal information is collected, used, retained and
disclosed shall be communicated to the individual (data subject) at or before the time the information
is collected. Specified purposes should be clear, limited and relevant to the circumstances.
- Collection Limitation – the collection of personal information must be fair, lawful and limited to that
which is necessary for the specified purposes.
- Data Minimisation − the collection of personally identifiable information should be kept to a strict
minimum. The design of programs, information and communications technologies, and systems
should begin with non-identifiable interactions and transactions, as the default. Wherever possible,
identifiability, observability, and linkability of personal information should be minimised.
- Use, Retention, and Disclosure Limitation – the use, retention, and disclosure of personal
information shall be limited to the relevant purposes identified to the individual, for which he or she
has consented, except where otherwise required by law. Personal information shall be retained only as
long as necessary to fulfil the stated purposes, and then securely destroyed.
Privacy measures should form the foundation stone upon which the whole system/service is built upon rather than being glued on at the end of the development cycle. The advantages to “securing” these measures are that data protection becomes an essential part of the product, technology or service, affording the highest degree of protection from the very start.
- A systemic, principled approach to embedding privacy should be adopted − one that relies upon
accepted standards and frameworks, which are amenable to external reviews and audits. All fair
information practices should be applied with equal rigour, at every step in the design and operation.
- Wherever possible, detailed privacy impact and risk assessments should be carried out and published,
clearly documenting the privacy risks and all measures taken to mitigate those risks, including
consideration of alternatives and the selection of metrics.
- The privacy impacts of the resulting technology, operation or information architecture, and their uses,
should be demonstrably minimised, and not easily degraded through use, misconfiguration or error.
Full functionality, positive-sum, not zero-sum
Functionality of a product or service should not be compromised as a result of trade-offs from “false disagreements” such as privacy vs security, but rather an approach should be adopted where both can be achieved in a “win-win” situation.
- When embedding privacy into a given technology, process, or system, it should be done in such a way
that full functionality is not impaired, and to the greatest extent possible, that all requirements are
- Privacy is often positioned in a zero-sum manner as having to compete with other legitimate interests,design objectives, and technical capabilities, in a given domain.Privacy by Design rejects taking such an approach – it embraces legitimate non-privacy objectives and accommodates them, in a innovative positive-sum manner.
- All interests and objectives must be clearly documented, desired functions articulated, metrics agreed upon and applied, and trade-offs rejected as often being unnecessary, in favour of finding a solution that enables multi-functionality.
End-to-end security for the life-cycle of the product
Privacy by design must consider security from the “cradle to the grave”. Information is always afforded the appropriate security throughout the life cycle of the product (from collection to processing and finally destruction). There should be discrepancies where security measures are not applied to data processed. Choosing and implementing the correct levels of data security measures are applied to the product, technology or service from the beginning of the project is essential to meeting this requirement.
- Security − Entities must assume responsibility for the security of personal information (generally
commensurate with the degree of sensitivity) throughout its entire life cycle, consistent with standards
that have been developed by recognised standards development bodies.
- Applied security standards must assure the confidentiality, integrity and availability of personal data
throughout its life cycle including, inter alia, methods of secure destruction, appropriate encryption,
and strong access control and logging methods
Visibility and transparency
Data subjects who are having their information processed are entitled to be fully informed of what is actually happening with their personal data from the point it is collected to the point it is deleted.
The GDPR takes an active role in heightening visibility and transparency for data subjects by increasing the rights over their personal data in Chapter III. Having strong processes for Chapter III rights such as Data Subject Access Requests or Right to Erasure requests is a vital step for the privacy by design approach.
- Accountability – The collection of personal information entails a duty of care for its protection.
Responsibility for all privacy-related policies and procedures shall be documented and communicated
as appropriate, and assigned to a specified individual. When transferring personal information to third
parties, equivalent privacy protection through contractual or other means shall be secured.
- Openness – Openness and transparency are key to accountability. Information about the policies and
practices relating to the management of personal information shall be made readily available to
- Compliance – Complaint and redress mechanisms should be established, and information
communicated about them to individuals, including how to access the next level of appeal. Necessary
steps to monitor, evaluate, and verify compliance with privacy policies and procedures should be
Respect for user privacy
Privacy for the user should be a central concern for the product, technology or service. The goal is to provide a user-centric experience, rather than one which harbours illicit data processing practices such as mass collection of data or invasive profiling.Having the data subject feel like they are king of the product, technology or service, rather than just a number, is also a good way to increase consumer confidence. Big-data is ever coming under increased attack for treating individuals like cattle, milking them for personal data which is then commoditised.
- Consent – The individual’s free and specific consent is required for the collection, use or
disclosure of personal information, except where otherwise permitted by law. The greater the
sensitivity of the data, the clearer and more specific the quality of the consent required. Consent may
be withdrawn at a later date.
- Accuracy – personal information shall be as accurate, complete, and up-to-date as is necessary to
fulfil the specified purposes.
- Access – Individuals shall be provided access to their personal information and informed of its
uses and disclosures. Individuals shall be able to challenge the accuracy and completeness of the
information and have it amended as appropriate.
- Compliance – Organisations must establish complaint and redress mechanisms, and
communicate information about them to the public, including how to access the next level of appeal.
All organisations striving for greater customer utilisation of their products should be promoting greater privacy strategies.