The General Data Protection Regulation (GDPR) has changed European privacy rules significantly. The introduction of the concept of ‘Privacy by Design’ (PbD) is one of these changes but many organisations have struggled to understand what it entails. For those that have adopted PbD correctly, the burden of GDPR compliance can greatly decrease while also having the potential to achieve operational as well as commercial gains.

What is Privacy by Design?

PbD is a requirement placed on organisations that must comply with the GDPR. The specific requirement is detailed in Article 25 of the Regulation. PbD holds that organisations must consider privacy at the initial design stages and throughout the entire development process of new products, processes or services that involve processing personal data. This means that privacy is considered at the earliest of stages and reduces the risk of privacy being an after-thought; bolted onto a system or product at a later stage. While this may initially seem complex, it is in fact easier to implement than applying privacy considerations after a design is fully developed.

What are the origins of Privacy by Design?

Although PbD has become a new legal requirement under the GDPR, the concept is not new. It originated in Canada in the mid-’90s and was developed by Dr. Ann Cavoukian, a recognised leading privacy expert who held the position of Information and Privacy Commissioner Ontario for three terms. In October 2010, regulators at the International Conference of Data Protection Authorities and Privacy Commissioners unanimously passed a resolution recognising Privacy by Design as an essential component of fundamental privacy protection. It is touched upon in many well-known frameworks such as OWASP and NIST. However many of the current frameworks have come in for much criticism. It became a legal requirement in Europe through the introduction of the GDPR.

Why should organisations focus on Privacy by Design?

Privacy by Design promotes a privacy-conscious culture within an organisation. If done correctly, it embeds privacy thinking into many aspects of an organisation’s operations. Further, as it focusses on early privacy considerations and checks prior to new products, systems, and processes being released, it greatly decreases the risk of non-compliance with the GDPR. It therefore enables a sustainable GDPR/Privacy compliant environment as an organisation evolves.

From an operational perspective, a strong Privacy by Design framework can present efficiencies and reduce costs. Consciously considering and planning for the personal data you want to use, the purpose for which you want to use it and how to do this legitimately greatly reduces the chance of discovering at a later stage that embedding privacy is technologically challenging, expensive or even impossible. The application of Privacy by Design can therefore make the development process more efficient. Knowing what data you want to use at an early stage and being confident in its usage can also make it easier to be transparent to those data subjects. And transparency is critical when it comes to earning the trust to collect the data in the first place

Implementing a robust framework can also present commercial advantages. Many global organisations have already sought publicity by demonstrating how their products deal specifically with user Privacy by Design. This is especially evident with several large technology companies. It therefore is seen as an enhancement to a brand and a key element in building trust with an ever-increasing privacy-conscious public. The ability to innovate and adopt disruptive technologies is also made easier for organisations as there is less ‘compliance uncertainty’ on whether such technologies can be used in the manner the organisation wishes.

How should an organisation implement Privacy by Design?

While frameworks exist that cover Privacy by Design, many of the frameworks are inadequate and are too rigid for real benefits to be realised. The key to implementing Privacy by Design is adopting privacy to the business and not forcing a boiler plate framework into the business. Privacy by Design is optimally implemented when privacy measures are designed based on the specific ways of working within an organisation. The approach to achieving an efficient Privacy by Design implementation consists of three steps:

1. Identify and understand: In order to tailor privacy measures to an organisation’s operations, it is important to firstly understand in detail your organisation’s design processes. These typically take many forms as design processes will be in place across different functions. For instance, typically a design process when developing a product differs from a design process when implementing a new system which in turn differs from a design process when implementing a new marketing campaign. These ways of working could, for instance, be agile in nature or be more traditional such as the waterfall method. Once you have identified the relevant design processes within the organisation, an exercise should be performed to obtain a detailed understanding of the steps involved in each process. If the processes are not already formally defined, it is useful to spend time mapping the design steps as this will support later PbD implementation activities. As well as the design steps, it’s also key that you understand the teams and third parties involved in executing the process and the tools and formats (e.g. excel, word checklists) used in each process.
2. Evolve: Once the processes and ways of working are fully understood, specific privacy measures should be designed to fit this current way of working. The objective of these measures is to ensure that certain privacy topics are considered and assessed at suitable points in the identified processes. These privacy measures could take many different forms. For example; ethical questions built into a design brainstorming session; user stories built into development; privacy checklists asking a series of questions on the purpose of processing at the initial design stages etc. These measures are to be applied to identified steps within your design processes and are designed in line with how the current process works. Tailoring the measures to the current processes allows for seamless integration of the measures but it also has an additional benefit. Creating support for privacy within an organisation is key in achieving a privacy conscious culture. Showing all of those involved in the design process that you are willing to speak their language helps the generation of this support. Together, these set of measures create the Privacy by Design Toolkit.
3. Establish: Implement the measures into your design processes and train employees involved in those processes to ensure the measures are understood and executed correctly. While these measures typically do not require significant process change, the main challenge is ensuring that each measure is executed consistently at the required standard. Those executing the measures are typically not privacy specialists so educating and training the individuals is a critical success factor in achieving a sustainable PbD framework.

Think of ethics, not just compliance

Many cases have been publically aired where personal data has been used perfectly in line with the rules, but far outside societal and ethical norms. In a PbD process, measures can be built-in that aim at detecting cases like these. For instance, to what extent an idea or initiative may be considered unethical can be found by asking a number of questions that can be built into your PbD toolkit –

• Can I explain why I’m going to process your personal data and what I’m intending to do with it?
• Would my family and friends be comfortable if their personal data was used in this idea?
• Would I be happy to explain my idea in the daily news?
• Does my idea match the values of the company?

Where the answers to these types of questions point towards an attitude of trying to hide the idea from the public eye or not wanting to be part of the data processing, these are indications that the idea is unethical and may need to be redesigned.

Privacy by Design – a fixed asset in all good privacy compliance regimes

PbD is an integral to ensuring compliance with data privacy legislation for numerous reasons. Firstly, because effective PbD involves seeking independent testing of privacy and security controls, it helps to maintain best practices. PbD builds your brand by fostering greater consumer confidence and trust (through, for example, allowing post-breach incidents to better managed) and in turn supports organisations in their quest for a competitive advantage. In a reactive approach, the costs are much greater such as through class-action lawsuits, the damage to reputation and loss of consumer confidence and trust.
 

*PETs = “Privacy-Enhancing Technologies”

The article first appeared in Accountancy Ireland.