Privacy by Design: Privacy throughout the engineering process
Privacy by design is a concept that was first introduced by Ann Cavoukian in 1995. Its recent surge in importance is due to the General Data Protection Regulation (GDPR). Article 25 of GDPR is titled Data protection by design and by default and requires controllers to “both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures … to implement data protection principles.”
Privacy by Design
The basic idea behind privacy by design is that privacy should be taken into account throughout the whole engineering process. Privacy by design is an approach to privacy that has seven basic principles.
| Principle | Meaning |
|---|---|
| Proactive, preventive | Planning ahead to avoid breaches of privacy. It is more about proactively designing things to prevent negative privacy events in the first place rather than responding after the fact. |
| Privacy as default | Provide privacy protections without requiring any affirmative action from the data subject. |
| Privacy embedded into design | Privacy is embedded into the design and architecture of business practices and systems. |
| Full-functionality | Privacy doesn’t compete with functionality or security. |
| End-to-end | The entirety of the data collection and usage maintains safeguards. |
| Transparency | Maintain transparency of your privacy approach. Privacy should be verifiable. |
| Respect for data subject | Primarily, privacy by design is about the data subject’s experience. |
GDPR Privacy by Design
Privacy by design has received some criticism for its vagueness. It is abstract and not obvious how to implement. GDPR gives some guidance in this regard in Article 25.
Article 25 of GDPR requires controllers to implement appropriate technical and organizational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing. This is not an absolute instruction, there are some accompanying qualifications. The implementation described above should be done “taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.” This indicates that it is not a hard and fast rule, the implementation has to take into account the current procedures, the costs of the implementation, details about the processing, and the risks – taking into account the likelihood of the risks and the severity of their occurrence – posed by the processing. The implementation should be done “both at the time of the determination of the means for processing and at the time of the processing itself.” That is to say that there should be a clear plan in advance for processing, but as circumstances change or more details come into focus, the original plan should not be strictly adhered to, the changing circumstances should be adapted to.
The second privacy by design requirement propounded by GDPR is that by default, the controller shall implement measures for ensuring that only personal data which are necessary for each specific purpose of the processing are processed. This approach is also known as data minimization. Stated more precisely, data minimization is the principle of performing a minimum amount of processing, with a minimum amount of data, and retaining it for the minimum amount of time. The “by default” clause means that the data subject has to take an affirmative action in order for their data to be handled differently, such as to increase the accessibility of their data. For more information about privacy by default, please review our Privacy by Default article.
GDPR also contemplates approved certification mechanisms that controllers can utilize to demonstrate their compliance with Article 25.
Complying with GDPR Privacy by Design
A good starting point for complying with GDPR’s Article 25 privacy by design requirements is conducting a Data Protection Impact Assessment (DPIA). DPIAs are covered in Article 35 of GDPR and are basically a formalized method of reviewing data processing. They are necessary (with some qualifications) where a type of processing is likely to result in a high risk to the rights and freedoms of natural persons. They need to include: “a systematic description of the envisaged processing operations and the purposes of the processing … an assessment of the necessity and proportionality of the processing operations … an assessment of the risks … to data subjects … and the measures envisaged to address the risks … and to demonstrate compliance with [GDPR]”.
At a minimum, to comply with Article 25 of GDPR, a controller should be able to:
- describe the purpose of their processing
- tout their controls preventing additional processing
- demonstrate controls for access to data
- prove data minimization measures
- create data processing agreements and utilize them with third-party processors
- respond to data breaches
With Clarip’s Privacy Impact Assessments, Privacy Intelligence Dashboard, Rules Engine, Vendor Monitor, and Reports Dashboard we can help you to operate under the principles of privacy by design. Clarip takes enterprise privacy governance to the next level and helps organizations reduce risks, engage better, and gain customers’ trust! Contact us at www.clarip.com or call Clarip at 1-888-252-5653 for a demo.