The GDPR, Europe’s keystone data protection regulation, was implemented in 2018 to give individuals more control over what happens to their personal information — and hold businesses accountable for how they manage it.
It requires businesses to put both technical and organisational measures in place to safeguard sensitive data. Under Art. 25 of the regulation, ‘Data protection by default and design’, it also mandates that organisations adopt a ‘Privacy by Design approach’ when creating their product or service.
This is important for everyone who handles sensitive information, but if you are a business whose data processing activities fall under the scope of the GDPR, it is vital that you are familiar with it along your journey to becoming compliant to GDPR.
But what is privacy by design, and what does it mean in the context of GDPR requirements? Read on to learn more about this framework and how it will help you achieve GDPR compliance and other benefits.
On this page, you’ll find:
Privacy by Design is an approach based on taking data protection concerns into consideration right from the start when creating a system, product, service, or business practice. It requires that you integrate data protection and privacy features as essential components, rather than applying them retroactively.
An example of a system putting this into practice is a cloud storage provider who uses zero-knowledge encryption so that nobody can access their users passwords, not even the provider themselves. Users’ passwords, and their file contents as a result, are private by virtue of the technological design of the product itself.
Related reading:
What is Zero Knowledge Encryption and why you need it from the services you use
The privacy by design framework predates the GDPR and is well-known in systems engineering. It was developed in 1995 by Ann Cavoukian, Information and Privacy Commissioner of Ontario, in collaboration with the Dutch Data Protection Authority and the Netherlands Organisation for Applied Scientific Research.
Previously, the EU Data Protection Directive (the GDPR’s predecessor) did not mention Privacy by Design. What the GDPR did was take the already internationally recognized standard and make it an official legal requirement in the EU from 2018 onwards.
In recent years, consumers have become increasingly concerned about how their data is processed due to a series of highly publicized data breaches and revelations of malpractice. Tech-savvy customers are also much more aware nowadays that with many services they use, they (and their data) are the product. This is why regulations like the GDPR now require implementing approaches like GDPR privacy by design and default.
As a result, organisations face the challenge of having to constantly innovate their services while still safeguarding sensitive information and meeting increasingly demanding international regulations.
In the era of ‘big data’, this delicate balancing act becomes even trickier. The cloud and new tools have opened up a world of opportunities when it comes to how we collaborate, but it also means that people are constantly exchanging sensitive information inside and outside the organisations they work for. Organisational boundaries are no longer as clear-cut as they used to be.
Unfortunately, this makes it harder to track and control what happens to data, and presents significant threats if not proactively managed.
Learn more about secure cloud storage options here:
Safest cloud storage for business of 2021: 9 best solutions
Privacy by design is based on seven foundational principles:
Learn more about two-factor authentication here:
How does two-factor authentication work & why to set it
GDPR privacy by design is introduced in section 25 of the Regulation, ‘Art. 25 GDPR Data protection by design and by default’.
It specifies the following requirements:
‘Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.’
In other words, following the seven foundational principles of the privacy by design approach, the GDPR requires that businesses:
Article 25(2) details the following requirements for data protection by default:
‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.’
This relates back to the fundamental data protection principles of purpose limitation and data minimisation which are also mentioned in the seven principles of privacy by design. It reiterates that businesses must only process the data which is absolutely necessary to run their operations, product, or service, and that they need to find opportunities to limit or reduce the collection where possible.
It also means that businesses need to be very clear (with explicit consent requests, notices, understandable privacy policies, etc) about what information they will collect and what will happen to it during its lifecycle. They need to readily inform data subjects what information they hold about them, keep it accurate and up to date, and provide transparent options when it comes to opting in or out of data processing activities.
There are numerous benefits of adhering to the principles of GDPR privacy by design and default. Businesses who follow this approach can:
The parties responsible for ensuring a privacy by design approach are the following:
The tricky part with data processors is that even though they are required to be compliant, the responsibility (and liability) remains with the contracting business as the data controllers.
Recital 78 of the GDPR explain this further:
‘When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.’
As a result, when choosing products and services that are needed for business activities, make sure that these tools have been designed in a way that takes privacy into account. It will make your compliance journey a lot simpler to work with solutions which already qualify as GDPR compliant software. This will also ensure that you don’t get into any trouble with regulatory authorities or have unnecessary data breaches due to the design of an external product or service you use.
Need more information on keeping your data safe in the cloud?
Check out our detailed GDPR guide on GDPR compliant file storage and backup here
Share it:
Subscribe not to miss new articles and updates about Cubbit.
By signing up you accept our Privacy Policy.
Learn how you can secure your files in the safest place on the internet - plus subscriber-only special news and offers.
By signing up for Cubbit’s spam-free newsletter, you agree to our Privacy Policy.