GDPR Top Ten: #6: Privacy by Design and by default
A good idea formalized
The General Data Protection Regulation (GDPR) changes European privacy rules significantly. The introduction of the concepts ‘Privacy by Design’ and ‘Privacy by Default’ are two of these changes. Although new as a legal requirement under the GDPR, these concepts are not new. Considering privacy from the start of the development process is essential to address privacy successfully.
10 February 2017
Essential part to the GDPR
The GDPR changes European privacy rules significantly. The introduction of the concepts ‘Privacy by Design’ and ‘Privacy by Default’ are two of these changes. Privacy by Designs holds that organizations need to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data. Privacy by default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones. Although Privacy by Design and Privacy by Default will become new legal requirements under the GDPR, these concepts are not new. Considering privacy from the start of the development process is essential to address privacy successfully.
Increasing efficiency by thinking of privacy in advance
Under the current Directive, data controllers already need to implement appropriate technical and organizational measures to protect data against unlawful processing. This, however, leaves room for privacy considerations to be reduced to a mere afterthought in the development process. The GDPR requires organizations to consider privacy at the earliest stage. Privacy must be one of the ingredients of a new product or service, rather than a sauce that is added at the end. This might seem complex, but it is actually easier than applying privacy considerations after a design is fully developed. When you think upfront about what personal data you want to use, for what purpose and how you will do this legitimately, it reduces the chance that you discover at a later stage that embedding privacy is technologically challenging, expensive or even impossible.
The application of Privacy by Design will therefore make the development process more efficient. Knowing what data you want to use, and giving data subjects a choice on how their data is used by applying Privacy by Default, will also make it easier to be transparent those data subjects. And transparency is key when it comes to earning the trust to collect the data in the first place. In other words: applying Privacy by Design and Privacy by Default is simply a good idea. That is why many organizations already have incorporated these concepts in to their development processes.
Embedding privacy in the design process, where to start?
In order to embed privacy in the design process several aspects must be taken into consideration.
- Operate within legal boundaries and be accountable
Under the GDPR organizations will not only be responsible for adhering to privacy principles, they must be able to demonstrate compliance with them too. A privacy strategy is essential to make choices early in the development process regarding how you want to deal with privacy within your new service or product. Assess upfront if the idea can be executed within the relevant legal boundaries. A good instrument for doing this is carrying out a Privacy Impact Assessment (PIA). A PIA will help you identify privacy risks within your new design. Don’t forget to keep your PIA findings. This will allow you to demonstrate your rationale behind certain decisions at a later stage.
- Think of ethics
The ethical aspects of the concept must also be taken into consideration early on. An organization should determine how transparent it wants to be on its data processing and how much it wants to know about data subjects involved. A helpful questions is: would you use the product or service yourself?
- Communication is key
Communication towards data subjects is very important to address at the initial design stages and throughout the complete development process. Communication lines must be clear, also when something goes wrong. For data subjects it must be clear where they can turn if they want to know more about the processing of their personal data and how they can exercise their rights.
- Data security, quality and retirement
And of course it is important to think about adequate security measures, how the quality of data can be guaranteed and what will be done with the data when the product or service retires.
Successful implementation of both Privacy by Design and Privacy by Default requires that employees - especially those involved in the development of new products and services - have enough basic knowledge on privacy. Clear policies, guidelines and work instructions related to data protection should be developed and a privacy specialist should be available to assist in applying these requirements. The development method (agile, waterfall etc.) used within the organization must be taken into account, in order to apply the concepts throughout the whole development process. This will enable the development teams to take appropriate measures in the relevant phases. And finally, when a design has been completed, it must be adopted by the organization and monitored throughout its lifetime.
Privacy by Design and by Default, what is not to like?
Mandating Privacy by Design and by Default is the formalization of a good idea. The GDPR aims to give data subjects more power over their personal data. Implementing Privacy by Design and Privacy by Default clearly reflects that aim. Offering the most privacy friendly option as a default setting will give people an actual say over which parts of their personal data can be used. The incorporation of Privacy by Design in the development process is the only way to apply privacy successfully. For organizations these concepts provide an opportunity to increase efficiency and gain data subjects’ trust. What is there not to like?
A new perspective on privacy rights that may impact your organization
What is the impact of this (new) obligation under the GDPR?