The General Data Protection Regulation (GDPR) enhanced European data privacy rules significantly. The introduction of ‘Privacy by Design’ and ‘Privacy by Default’ make up two of these enhancements . Although new as a legal requirement under the GDPR, these enhancements are not new by any means. Considering privacy from the start of the development design process is essential to address privacy successfully.
Building efficiency by thinking of privacy proactively, not reactively.
Under the previous Directive, data controllers were required to implement appropriate technical and organisational measures to protect data against unlawful processing. This, however, led to privacy considerations becoming a afterthought in the development process.
The GDPR requires organisations to consider privacy at the initial design stage. Privacy therefore needs to be a key ingredient of the successful introduction of a new product, service, or technology. rather than a element that is added for decoration at the end.
This could be seen as added complexity, but it is actually a much simpler exercise than applying privacy considerations after a design is fully developed.
When you give thought to what personal data is to be used, for what purpose and under what lawful basis, it reduces the risks that you discover at a later stage, that attempting to embed privacy is technologically demanding , expensive or even not possible at all.
The application of Privacy by Design actually increases the efficiency of the development process. Knowing what data you want to use, and giving data subjects consideration on how their data is used by applying Privacy by Default, will also create more transparency for the data subjects. The inclusion of privacy as the bedrock of development helps builds trust with data subjects in collecting data in the first place.
In other words: applying Privacy by Design and Privacy by Default is an essential ingredient of good privacy practice. Many organisations are already introducing these ideas in to their development processes and are reaping the rewards.
Embedding privacy in the design process, where to start?
In order to embed privacy in the design process four key areas must be taken into consideration.
- Keep within legal boundaries and be accountable
Under the GDPR organisations must be able to demonstrate their adherence and compliance to the privacy principles. Having a clear data privacy strategy where early privacy decisions are taken when introducing new technologies certainly helps organisations stay on track.
When assessing a concept or idea keep top of mind if it can be introduced whilst remaining within the principles of privacy . Performing a Data Privacy Impact Assessment (DPIA) is a great way to highlight any risk of non compliance that would put your development at risk . Also remember to keep records of completed DPIA’s as this will demonstrate your decision taking at a later point in time.
- Ethical Transparency
The ethical aspect of your approach must also be taken into discussions early on. An organisation should actuate how transparent it intends to be on its data processing and how much detail it wants to know about the data subjects involved. A helpful questions is: would you be happy to use the product or service yourself?
- Importance of clear Communication
Clear Communications to data subjects is very important to address at all stages of the development process. Communication channels must be clear and easily understood, also when something goes wrong. For data subjects it must be clear who to contact if they want to exercise their rights or find out more about how their data is being used.
- Data security, quality and retirement
Finally it is vitally important to ensure that adequate security measures are put in place, how the integrity of the data can be maintained, and how its availability can be guaranteed and how the data will be disposed of when the product or service retires.
Successful implementation of both Privacy by Design and Privacy by Default requires that employees – especially those involved in the development of new products and services – have a good understanding of data privacy awareness. Clear policies, training and work instructions related to data protection should be put in place and a privacy advisory specialist should be available to assist in applying these requirements. Whichever development methodology is used beit agile, waterfall etc.) privacy should be at the heart of the development lifecycle. This will enable the development teams to apply appropriate measures in the relevant phases.