Planning for privacy by design
By Bernard Farrugia
Within the European Union, the number of businesses that suffered data breaches in 2016 was 161. The attacks resulted in the theft or loss of 183.4 million records, almost double from 94.8 million reported in the previous year[i]. These are just the cases that are known and have been reported. So far, the EU does not have a uniform data breach notification statute. While some member states enacted breach notification legislation, there is far less synchronisation between EU member states collectively. This is expected to change as, on May 25 2018, the General Data Protection Regulation (“GDPR”) shall come into force (replacing the Data Protection Directive 95/46/EC) and will, for the first time, harmonise breach notification requirements. So how does an organisation ensure that they have the proper systems in place to minimise such data breaches and their subsequent notification requirements?
One of the new requirements of this regulation is that personal data should be protected by design and by default. Highlighted under Article 25 of the GDPR, data controllers are responsible for implementing ‘privacy by design’ (or privacy by default) through technical and organisational measures designed to implement data protection principles with the overall aim of protecting the rights of data subjects.
The whole concept of ‘privacy by design’ is characterised by proactive measures, i.e. anticipating and addressing the risk of negative privacy events before they occur. With these measures in place, potential problems are identified at the outset, thus enabling organisations to plan ahead and reducing the likelihood of such events actually happening. It also helps organisations to:
- increase their awareness of privacy and data protection;
- meet their legal obligations; and
- reduce the chances of regulatory breaches.
The GDPR does not prescribe specific technical and organisational measures in Article 25 (with the exception of one example, pseudonymisation). On the one hand, this offers organisations the flexibility to implement their own modus operandi, on the other hand some may feel there is insufficient guidance around how to achieve ‘privacy by design’.
So what are the key considerations?
For successful implementation of ‘privacy by design’ the following should be considered:
- Conduct DPIA: Under the GDPR, organisations must be able to demonstrate compliance with data protection principles. A sensible way to do this is to evaluate the organisation’s privacy stance through a Data Privacy Impact Assessment (DPIA). A DPIA is an integral part of the privacy by design approach. Although the performance of the DPIA is only required for those organisations that have been classified as high risk (see Article 35 of the GDPR), such assessments would enable organisations to analyse systematically and thoroughly how a particular project or system will affect the privacy of the personal data subjects involved. Think of a DPIA as a risk assessment specific to privacy. In fact, one can integrate the core principles of the DPIA process within the existing project and risk management policies and processes.
- Implement Design Strategy: In a previous article in the publication on GDPR, written by my colleague Dominic Fisher, he wrote:
“A project that places strategy at its heart is more likely to engage management and create joined up thinking.”
Having a design strategy which flows from organisational objectives is paramount to the necessary cultural transformation associated with GDPR compliance and the trickle-down effect that comes with it. Three pertinent strategies highlighted by Jaap-Henk Hoepman in his paper ‘Privacy Design Strategies’, describe what organisations should focus on so as to implement the right strategies:
- a) Minimise: the amount of personal data that is collected, processed, stored and disseminated should be restricted to the minimal amount possible. Logically, collecting less information minimises the impact of a system breach. Examples might include requesting the minimum legal required information when performing your KYC checks and anonymising personal data using pseudonyms (or pseudonymisation), that is, using aliases or hashes to hide the identity of the individual whose personal information is stored on your system.
- b) Hide: personally identifiable information, and their respective interrelationships, should be hidden from plain view. Hidden data cannot be misused, unless discovered. Measures which can be applied include (i) pseudonymisation as mentioned above; (ii) implementation and enforcement of a data classification policy. Each dataset, whether on stored physically or electronically, should be classified and access rights to that data should be assigned on a need-to-know basis; and (iii) the use of encryption (both for data which is stored and in transit).
- c) Inform: Data subjects should be adequately informed about how their personal data is used. Declarations made by companies on their websites should include the type of personal data that they collect, how are companies using this data, what other parties are privy (or given access) to such data. Data breach notifications are also included in this category.
Adhering to the concept of privacy by design from the outset helps organisations to identify the risks at a much earlier stage in the development cycle of their product or service, and would probably be more cost-effective in the long term. It is clear that the core objective of this GDPR requirement is to instil trust and transparency between data subjects and the private and public bodies in possession of their data, something which appears to be lacking at the moment.