What is data protection by design exactly?

 

GDPR mandates the  consideration of the impact of any processing activities when developing a new product, technology or service should be taken into account and from the beginning  and throughout the life cycle of the product. Security and privacy measures should be integrated into the project, rather than an afterthought in a post design “checkbox” exercise. Companies and organisations who acted  quickly and proactively to implement the new regulatory requirement, are in pole position to ensure their products and services are compliant for the new, world GDPR era.

 

The origins of data protection by design and it’s seven principles

 

The concept of data protection by design is far from a new concept, with some of the initial discussion and considerations for the topic extending back as far as the 1970’s. What is new is the fact that Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) now mandates organisations to take privacy by design into account from the conception of a new product, technology or service (Article 25), rather than on a self regulatory  basis as it was under the previous regime of Directive 95/46/EC (recital 46). The shift from a recital to a fully-fledged article, imposing a legal obligation is a positive step forward for data protection as a whole.

The modern version of data protection by design (and default) can be traced back to seven principles of privacy by design,

 

Proactive not reactive, preventative not remedial

 

Being proactive means that data privacy risk should be foreseen, be at the centre of planning and mitigated before they can manifest rather than rectified on a reactive basis. This ancillary benefit of this type of approach is potential protection from public exposure of data privacy issues which could cause reputational harm (e.g., Marriott Hotel Group breach  From the initial conception design of developing a new product, technology or service, organisations should begin to plan the implementation of data-protection-enhancing measures

  • A clear commitment, at the highest levels, to set and enforce high standards of privacy − generally
    higher than the standards set out by global laws and regulation.
  • A privacy commitment that is demonstrably shared throughout by user communities and stakeholders,
    in a culture of continuous improvement.
  • Established methods to recognise poor privacy designs, anticipate poor privacy practices and
    outcomes, and correct any negative impacts, well before they occur in proactive, systematic, and
    innovative ways.

 

Privacy as the default

 

The highest settings of privacy should be enabled by default for the user when they utilise  any system or access any service or system. This means that if the user does nothing to change the standard settings, their protection remains full. This guarantees that no action is required on the part of the user to protect their privacy.

Privacy by default also expands to data retention periods: personal data should only be kept and stored as long as it is necessary for the operation of the product or service, and this often translates into creating the mandated data retention schedule and the design and testing of  processes for the operation of executing retention periods. Products, technologies and services should by default protect individuals’ data to the maximum, even if organisations may still want to include options where the data subject can disable these measures. Presenting data subjects with choice over what happens with their data is the cornerstone  of any new data protection administration within a forward thinking organisation.

 

  • Purpose Specification – the purposes for which personal information is collected, used, retained and
    disclosed shall be communicated to the individual (data subject) at or before the time the information
    is collected. Specified purposes should be clear, limited and relevant to the circumstances.
  • Collection Limitation – the collection of personal information must be fair, lawful and limited to that
    which is necessary for the specified purposes.
  • Data Minimisation − the collection of personally identifiable information should be kept to a strict
    minimum. The design of programs, information and communications technologies, and systems
    should begin with non-identifiable interactions and transactions, as the default. Wherever possible,
    identifiability, observability, and linkability of personal information should be minimised.
  •  Use, Retention, and Disclosure Limitation – the use, retention, and disclosure of personal
    information shall be limited to the relevant purposes identified to the individual, for which he or she
    has consented, except where otherwise required by law. Personal information shall be retained only as
    long as necessary to fulfil the stated purposes, and then securely destroyed.

 

Data protection embedded into the design 

 

Privacy measures should form the foundation stone upon which the whole system/service is built upon rather than being glued  on at the end of the development cycle. The advantages to “securing” these        measures are that data protection becomes an essential part of the product, technology or service, affording the highest degree of protection from the very start.

  • A systemic, principled approach to embedding privacy should be adopted − one that relies upon
    accepted standards and frameworks, which are amenable to external reviews and audits. All fair
    information practices should be applied with equal rigour, at every step in the design and operation.
  • Wherever possible, detailed privacy impact and risk assessments should be carried out and published,
    clearly documenting the privacy risks and all measures taken to mitigate those risks, including
    consideration of alternatives and the selection of metrics.
  •  The privacy impacts of the resulting technology, operation or information architecture, and their uses,
    should be demonstrably minimised, and not easily degraded through use, misconfiguration or error.

 

Full functionality, positive-sum, not zero-sum

 

Functionality of a product or service should not be compromised as a result of trade-offs from “false disagreements” such as privacy vs security, but rather an approach should be adopted where both can be  achieved in a “win-win” situation.

  • When embedding privacy into a given technology, process, or system, it should be done in such a way
    that full functionality is not impaired, and to the greatest extent possible, that all requirements are
    optimised.
  • Privacy is often positioned in a zero-sum manner as having to compete with other legitimate interests,design objectives, and technical capabilities, in a given domain.Privacy by Design rejects taking such an approach – it embraces legitimate non-privacy objectives and accommodates them, in a innovative positive-sum manner.
  • All interests and objectives must be clearly documented, desired functions articulated, metrics agreed upon and applied, and trade-offs rejected as often being unnecessary, in favour of finding a solution that enables multi-functionality.

 

End-to-end security for the life-cycle of the product

 

Privacy by design must consider security from the “cradle to the grave”. Information is always afforded the appropriate security throughout the life cycle of the product (from collection to processing and finally  destruction). There should be discrepancies  where security measures are not applied to data processed. Choosing and implementing the correct levels of data security measures are applied to the product, technology or service from the beginning of the project is essential to meeting this requirement.

  • Security − Entities must assume responsibility for the security of personal information (generally
    commensurate with the degree of sensitivity) throughout its entire life cycle, consistent with standards
    that have been developed by recognised standards development bodies.
  •  Applied security standards must assure the confidentiality, integrity and availability of personal data
    throughout its life cycle including, inter alia, methods of secure destruction, appropriate encryption,
    and strong access control and logging methods

 

Visibility and transparency

 

Data subjects who are having their information processed are entitled to be fully informed  of what is actually happening with their personal data from the point it is collected to the point it is deleted.
The GDPR takes an active role in heightening visibility and transparency for data subjects by increasing the rights over their personal data in Chapter III. Having strong processes for Chapter III rights such  as  Data Subject Access Requests or Right to Erasure requests is a vital step for the privacy by design approach.

  • Accountability – The collection of personal information entails a duty of care for its protection.
    Responsibility for all privacy-related policies and procedures shall be documented and communicated
    as appropriate, and assigned to a specified individual. When transferring personal information to third
    parties, equivalent privacy protection through contractual or other means shall be secured.
  • Openness – Openness and transparency are key to accountability. Information about the policies and
    practices relating to the management of personal information shall be made readily available to
    individuals.
  • Compliance – Complaint and redress mechanisms should be established, and information
    communicated about them to individuals, including how to access the next level of appeal. Necessary
    steps to monitor, evaluate, and verify compliance with privacy policies and procedures should be
    taken.

 

Respect for user privacy


Privacy for the user should be a central  concern for the product, technology or service. The goal is to provide a user-centric experience, rather than one which harbours illicit data processing practices such as mass collection of data or invasive profiling.Having the data subject feel like they are king of the product, technology or service, rather than just a number, is also a good way to increase consumer confidence. Big-data is ever coming under increased attack for treating individuals like cattle, milking them for personal data which is then commoditised.

  • Consent – The individual’s free and specific consent is required for the collection, use or
    disclosure of personal information, except where otherwise permitted by law. The greater the
    sensitivity of the data, the clearer and more specific the quality of the consent required. Consent may
    be withdrawn at a later date.
  • Accuracy – personal information shall be as accurate, complete, and up-to-date as is necessary to
    fulfil the specified purposes.
  • Access – Individuals shall be provided access to their personal information and informed of its
    uses and disclosures. Individuals shall be able to challenge the accuracy and completeness of the
    information and have it amended as appropriate.
  • Compliance –  Organisations must establish complaint and redress mechanisms, and
    communicate information about them to the public, including how to access the next level of appeal.

All organisations striving for greater customer utilisation of their products should be promoting greater privacy strategies.

 Relentless Privacy and Compliance Services  have a wide range of Data Privacy services for organisations of all sizes

Privacy Preference Center

      Necessary

      Advertising

      Analytics

      Other