Learn all about privacy by design (PbD) and how you can integrate the philosophy within your business.
Privacy by Design and its Purpose
Privacy by design (PbD) is defined as designing privacy into all your business processes so that personally identifiable information is protected by default.
The concept comes from Dr. Ann Cavoukian, former Information and Privacy Commissioner of Ontario. She developed and formalized the PbD framework in a joint report on privacy-enhancing technologies in 1995. Her team included the Dutch Data Protection Authority and the Netherlands Organization for Applied Scientific Research.
Operating under the premise that merely being in compliance with regulatory frameworks isn’t enough to assure privacy protections, privacy by design takes a “privacy first” approach throughout the enterprise.
For new technologies, IT systems, and business processes, PbD works best when privacy is protected by default. To get there, those systems need to have privacy protections included in their designs.
Designers typically apply PbD to three parts of the business enterprise: IT systems, accountable business practices, and physical, networked infrastructure. And while the principles of privacy by design work well for protecting all types of personal information, they’re especially important for safeguarding sensitive data such as medical or financial data.
Where is privacy by design required?
Although PbD has existed as a best-practice framework since the 1990s, it only became a requirement in 2018.
The European Union’s General Data Protection Regulation (GDPR) became law across Europe in 2018. The GDPR requires privacy by design, as well as data protection by default for all uses and applications.
Not only do organizations need to comply with GDPR; they also need to document their PbD development processes — and present that documentation to GDPR enforcement agencies in the event of a data breach or a consumer complaint.
European data protection and privacy laws are also extraterritorial, meaning they apply to EU residents whose data gets collected, regardless of where in the world that data is collected. More plainly: you must comply with EU data protection and privacy standards if you collect data from EU residents, even if your organization isn’t located within the EU.
Therefore, developers outside the EU should consider adopting privacy by design principles within the GDPR guidelines. These provide a clear, common-sense and accountable framework to use in any development process.
The Privacy by Design Principles
The principles of privacy design were adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Those principles are enshrined in a paper published by Dr. Cavoukian, “Privacy by Design: The 7 Foundational Principles; Implementation and Mapping of Fair Information Practices,” written to help organizations and developers achieve privacy by design.
The seven principles are summarized below. For a more thorough overview, read our blog post, “Why We Should Care about Privacy By Design.”
- Proactive not reactive; preventative not remedial: Organizations should take a proactive approach to data protection and anticipate privacy issues and risks before those things occur, instead of waiting until after the fact. This applies in the context of systems designs, but also involves developing a culture of privacy awareness throughout your organization.
- Privacy as the default setting: Systems, services, products, and business practices should be designed to protect personal data automatically. When privacy is built into the system, individuals do not have to take any steps to protect their data; privacy happens on its own.
- Privacy embedded into design: Assure data protection is part of the core function of any system or service by embedding it into the design of any systems, services, products, and business practices. Essentially, privacy should be integral to all systems and services.
- Full functionality — positive sum, not zero sum: Avoid trade-offs such as the belief that one can have only privacy or security, not privacy and security. Try to incorporate all legitimate objectives while remaining in compliance with your obligations.
- End-to-end security — full lifecycle protection: Establish strong security measures from the beginning and extend security throughout the “data lifecycle.” (That is, process the data securely and then destroy it securely when you no longer need it.)
- Visibility and transparency — keep it open: Assure that your business practices or technologies operate according to their premises and objectives, and are independently verifiable. Also assure visibility and transparency to individuals, including making sure they know what data you process and for what purposes you process it.
- Respect for user privacy; keep it user-centric: Keep the interests of individuals paramount in the design and implementation of any system or service by offering strong privacy defaults, providing individuals with controls, and making sure to give appropriate notice of their rights and also of any security breaches that occur.
Achieving Privacy by Design
Ensuring privacy and security through every phase of the data lifecycle (collection, use, retention, storage, disposal or destruction) has become crucial for avoiding legal liability, maintaining regulatory compliance, protecting your brand, and preserving customer confidence.
There is, however, no easy checklist of questions that will help you achieve privacy by design.
Here are some basic steps your organization can take to get there:
Design Stage
- Create a privacy-impact assessment (PIA) template for your business to use for all functions that involve personal data (see below).
- Review contracts with partners and third parties to assure the data you pass on to them is being processed in accordance with PbD and GDPR.
- Remove requirements for unnecessary app permissions, especially those that imply privacy invasion such as access to contacts or to the microphone.
- Audit the security of your systems (see below).
A PIA is the process of documenting the issues, questions and actions required to implement privacy-by-design in a project, service, or product. PIAs are a core requirement of GDPR; yours will determine what happens if you have a data breach or other privacy protection issue. In the event of a data protection issue, your PIA may even determine the scope of an investigation by a regulatory authority.
Auditing the security of your systems involves putting in place adequate technical and security measures to protect user data. You must document these measures and provide the documentation to a regulator upon request.
Lifecycle
- Minimize the amount of data you collect.
- Minimize the amount of data you share with third parties.
- Whenever possible, pseudonymize personal data.
- Revisit contact forms, sign-up pages and customer-service entry points, to see whether you’re collecting any data unnecessarily.
- Delete unneeded data regularly. Don’t keep it any longer than you need to.
User Engagement
- Provide clear privacy and data sharing notices.
- Embed granular opt-ins through these notices.
- Don’t require social media registration to access the app.
- Don’t enable social media sharing by default.
- Separate consent for essential third-party data sharing form consent for analytics and advertising.
End of Engagement and Mothballing
- Periodically remind users to review and refresh their privacy settings.
- Allow users to download and delete old data.
- Delete the data of users who have closed their accounts.
- Delete all user data when the app’s life comes to an end.
Other Privacy by Design Recommendations
Companies that process certain kinds of data must appoint a Data Protection Officer (DPO) under the GDPR. This person is legally accountable for your organization’s privacy compliance, including PbD. Your DPO does not have to be in-house or full-time.
All organizations should consider voluntarily appointing a DPO to act as the “health and safety officer for privacy” and to keep the development process legally compliant.
Instead of viewing privacy by design as a checklist of boxes to be ticked because “the law says so,” organizations should use PbD to think creatively about all the ways that user data can be misused, accessed, stolen, shared or combined — and then design ways to protect that data.
Integrating PbD into your development workflow is an opportunity to improve your policies, practices, and products by incorporating privacy into your organization’s culture. Your users will be better protected, your organization’s reputation will improve, and you will be well on your way to healthy and legal compliance.
Luckily, there are tools to help your organization with its compliance efforts. ZenGRC from Reciprocity streamlines the execution of risk and compliance work by alerting you in real time to issues and vulnerabilities.
Continuously monitor your systems to ensure that you maintain compliance with ZenGRC, and request a demo today to learn more about how ZenGRC can help your organization stay compliant.