Introduction
The protection of personal data is ensured by the principles provided within different data protection frameworks. Under the GDPR, these principles are as follows; the lawfulness, fairness and transparency principle, the purpose limitation principle, the data minimisation principle, the storage limitation principle, the accuracy principle, the security principle and the accountability principle. These principles are the fulcrum upon which the protection of personal data can be guaranteed. In ensuring that these principles are implemented, the framework on privacy by design was developed and accepted by the International Assembly of Privacy Commissioners & Data Protection Authorities in 2010 as an international standard.
What is Data Protection by Design and Data Protection by Default
The concept of data protection by design which is provided in Article 25 of the GDPR, means the incorporation of data protection principles into the development and throughout the lifespan of technological products, systems and business practices and projects so that data protection is taken into account from the start of the project rather than as an afterthought.
According to Cavoukian, ex-commissioner of Information and Privacy in Ontario, Canada, privacy by design is “the philosophy and methodology of embedding privacy into the design specifications, information technologies, business practices, and networked infrastructures as a core functionality.” In other words, organisations are expected to bake-in and implement technical and organizational measures at the earliest stages of the design of their processing operations in a way that safeguards privacy and data protection principles right from the start.
Privacy by default, on the other hand, means that if the system provides choices for the data subject regarding how much personal data he/she wants to share with others, the default settings should be the strictest ones.
There are 7 foundational principles of privacy by design, they are:
a) proactive, not reactive, preventative, not remedial: explicit recognition of the value and benefits of proactively adopting strong privacy practices early and consistently in order to prevent privacy risks from occurring and not as an afterthought when a privacy issue has occurred;
b) privacy as the default setting: the collection of personal information must be fair, lawful and limited to what is necessary for the specified purposes. The design of programs, information and communications technologies, and systems should begin with non-identifiable interactions and transactions as the default. Wherever possible, identifiability, observability, and linkability of personal information should be minimized;
c) privacy embedded into design: privacy is embedded into the design of business processes, technologies, operations, and information architectures in a holistic, integrative and creative way;
d) full functionality – positive–sum, not zero-sum: accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through a dated, zero-sum approach, where unnecessary trade-offs are made. Privacy by Design avoids the pretence of false dichotomies, such as privacy vs security, demonstrating that it is possible, and far more desirable, to have both;
e) end-to-end security – full lifecycle protection: privacy must be continuously protected across the entire life-cycle of personal data. There should be no gaps in either protection or accountability. Security has special relevance here because, without strong it, there can be no privacy;
f) visibility and transparency: Privacy by Design seeks to ensure that regardless of the business practice or technology involved, it is, in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent to both users and providers;
g) respect for user privacy: Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options
Why You Need to Implement Data Protection by Design
There are various reasons why it is important to implement data protection by design and default. The most popular reason is to avoid a penalty for breach. Other reasons include: the power imbalance between the controllers (company/organisation) and data subjects (product users) and, the data protection awareness level of data subjects; Many data subjects, especially in developing countries, are not aware of processing activities and their consequences and have the tendency to overshare information while using online products. The implementation of privacy by design serves to protect users.
How to Implement Data Protection by Design
In implementing data protection by design and default within a company or organisation’s business process or technology, the processing activity must be analysed and a data protection impact assessment (DPIA) conducted where necessary.
To ensure data protection by design, a DPIA must be conducted before any type of processing that is “likely to result in a high risk”. This means that although you have not yet assessed the actual level of risk, you need to screen for factors that point to the potential for a widespread or serious impact on individuals.
Under the GDPR a DPIA must be conducted if you plan to:
- use systematic and extensive profiling with significant effects;
- process special category or criminal offence data on a large scale; or
- systematically monitor publicly accessible places on a large scale.
Other measures that can be taken to ensure privacy by design and default are embedding data pseudonymisation, encryption, and anonymisation/de-identification into the engineering process of the product or business model.
To incorporate privacy into the systems model, you should begin with the following points at the earliest stage (at a minimum):
- Having a documented organizational commitment to data protection standards (including corporate culture, business practices, and business services)
- Appointing a data protection officer (DPO) if applicable or using a data protection advisor (non-GDPR cases).
- Establishing a data protection framework (including encryption and anonymization)
- Creating and documenting a record-keeping system for processing activities
- Identifying a risk management system (including compliance management)
- Updating privacy training for employees who handle personal data (both for customers and other employees)
- Using self-assessment to audit and monitor the implementation of the documented systems above
- Establishing security measures used to avoid incidents and breaches
Conclusion
The implementation of data protection by design and default cannot be over-emphasised, as the likelihood of data protection compliance may be difficult without its implementation. Based on how relevant protecting individuals’ privacy/personal data has become, companies/organisations must ensure they employ the services of privacy experts who can ensure and guarantee that individuals’ personal data will be protected and data protection laws complied with. These experts are data protection officers.