The General Data Protection Regulation (GDPR) enhanced  European data privacy rules significantly. The introduction of ‘Privacy by Design’ and ‘Privacy by Default’ make up two of these enhancements . Although new as a legal requirement under the GDPR, these enhancements  are not new by any means. Considering privacy from the start of the development design process is essential to address privacy successfully.

 

Building efficiency by thinking of privacy proactively,  not reactively. 

 

Under the previous  Directive, data controllers were required to implement appropriate technical and organisational measures to protect data against unlawful processing. This, however, led to  privacy considerations becoming a afterthought in the development process.

The GDPR requires organisations to consider privacy at the initial design stage. Privacy therefore needs to be a  key ingredient of the successful introduction of a  new product, service, or technology. rather than a element  that is added for decoration at the end.

This could be seen as added  complexity, but it is actually a much simpler exercise than applying privacy considerations after a design is fully developed.

When you give thought  to what personal data is to be used, for what purpose and under what lawful basis, it reduces the  risks that you  discover at a later stage, that attempting to embed privacy is technologically demanding , expensive or even not possible at all.

The application of Privacy by Design  actually increases the efficiency of the development process. Knowing what data you want to use, and giving data subjects consideration on how their data is used by applying Privacy by Default, will also create more transparency for the data subjects. The inclusion of privacy as the bedrock of development helps builds trust with data subjects in collecting data in the first place.

In other words: applying Privacy by Design and Privacy by Default is an essential ingredient of good privacy practice. Many organisations are  already introducing these ideas in to their development processes and are reaping the rewards.

 

Embedding privacy in the design process, where to start?

 

In order to embed privacy in the design process four key areas must be taken into consideration.

 

  1. Keep within legal boundaries and be accountable

Under the GDPR organisations must be able to demonstrate their adherence and compliance to the privacy principles. Having a clear data privacy strategy where early privacy decisions are taken when introducing new technologies certainly helps organisations stay on track.

When assessing a concept or idea keep top of mind if it can be introduced whilst remaining within the principles of privacy . Performing a Data Privacy Impact Assessment (DPIA) is a great way to highlight any risk of non compliance that would put your development  at risk . Also remember to keep records of completed DPIA’s as this will demonstrate your decision taking at a later point in time.

  1. Ethical Transparency

The ethical aspect of your approach  must also be taken into discussions early on. An organisation should actuate how transparent it intends to be  on its data processing and how much detail it wants to know about  the data subjects involved. A helpful questions is: would you be  happy to use the product or service yourself?

  1. Importance of clear Communication

Clear Communications to data subjects is very important to address at all stages of the  development process. Communication channels must be clear and easily understood, also when something goes wrong. For data subjects it must be clear who to contact if they want to exercise their rights or find out more about how their data is being used.

  1. Data security, quality and retirement

Finally it is vitally important to ensure that adequate security measures are put in place, how the integrity of the  data can be maintained, and how its availability can be guaranteed and how the data will be disposed of when the product or service retires.

 

Implementation

 

Successful implementation of both Privacy by Design and Privacy by Default requires that employees – especially those involved in the development of new products and services – have a good understanding of data privacy awareness. Clear policies, training and work instructions related to data protection should be put in place and a privacy advisory specialist should be available to assist in applying these requirements. Whichever  development methodology is used beit agile, waterfall etc.) privacy should be at the heart of the development lifecycle. This will enable the development teams to apply appropriate measures in the relevant phases.