The GDPR, Europe’s keystone data protection regulation, was implemented in 2018 to give individuals more control over what happens to their personal information — and hold businesses accountable for how they manage it.
It requires businesses to put both technical and organisational measures in place to safeguard sensitive data. Under Art. 25 of the regulation, ‘Data protection by default and design’, it also mandates that organisations adopt a ‘Privacy by Design approach’ when creating their product or service.
This is important for everyone who handles sensitive information, but if you are a business whose data processing activities fall under the scope of the GDPR, it is vital that you are familiar with it along your journey to becoming compliant to GDPR.
But what is privacy by design, and what does it mean in the context of GDPR requirements? Read on to learn more about this framework and how it will help you achieve GDPR compliance and other benefits.
On this page, you’ll find:
- The definition of GDPR privacy by design and why it matters.
- The seven principles upon which "privacy by design" is based.
- The benefits to businesses in adhering to these principles.
- A FREE downloadable step-by-step guide to GDPR-compliant file storage and sharing.
So what is ‘Privacy by Design’, anyways?
Privacy by Design is an approach based on taking data protection concerns into consideration right from the start when creating a system, product, service, or business practice. It requires that you integrate data protection and privacy features as essential components, rather than applying them retroactively.
An example of a system putting this into practice is a cloud storage provider who uses zero-knowledge encryption so that nobody can access their users passwords, not even the provider themselves. Users’ passwords, and their file contents as a result, are private by virtue of the technological design of the product itself.
The privacy by design framework predates the GDPR and is well-known in systems engineering. It was developed in 1995 by Ann Cavoukian, Information and Privacy Commissioner of Ontario, in collaboration with the Dutch Data Protection Authority and the Netherlands Organisation for Applied Scientific Research.
Previously, the EU Data Protection Directive (the GDPR’s predecessor) did not mention Privacy by Design. What the GDPR did was take the already internationally recognized standard and make it an official legal requirement in the EU from 2018 onwards.
Why is privacy by design important?
In recent years, consumers have become increasingly concerned about how their data is processed due to a series of highly publicized data breaches and revelations of malpractice. Tech-savvy customers are also much more aware nowadays that with many services they use, they (and their data) are the product. This is why regulations like the GDPR now require implementing approaches like GDPR privacy by design and default.
As a result, organisations face the challenge of having to constantly innovate their services while still safeguarding sensitive information and meeting increasingly demanding international regulations.
In the era of ‘big data’, this delicate balancing act becomes even trickier. The cloud and new tools have opened up a world of opportunities when it comes to how we collaborate, but it also means that people are constantly exchanging sensitive information inside and outside the organisations they work for. Organisational boundaries are no longer as clear-cut as they used to be.
Unfortunately, this makes it harder to track and control what happens to data, and presents significant threats if not proactively managed.
Learn more about secure cloud storage options here:
Safest cloud storage for business of 2021: 9 best solutions
What are the 7 foundational principles of privacy by design?
Privacy by design is based on seven foundational principles:
- Proactive not reactive—preventative not remedial
Businesses must identify possible threats and prevent them before they happen, rather than trying to put a ‘bandaid’ solution in place after the fact. This also demonstrates an organisational commitment to enforcing high standards of privacy, which keeps stakeholders, customers, and regulatory authorities happy.
- Privacy as the default setting
Organisations should ensure that their ‘default setting’ is only collecting data for the specific purpose which is required for their product or service to function. They also have to be transparent about what they collect and why, who their data protection officer is, and minimize data collection of sensitive personal information whenever possible. Finally they need to make opting in and opting out clear steps of the user journey, with consent notices, easy to understand privacy policies, and accessible user controls which empower customers to exercise their rights.
- Privacy embedded into design
Privacy measures should not be added retroactively. Instead, they should be taken into consideration from the outset (i.e. at the design phase) and be fully integrated system components. To demonstrate that this has been done, companies need to carry out a data privacy impact assessment or DPIA. The ICO developed the framework and even provides templates for DPIAs to make the process smoother.
- Full functionality – positive-sum, not zero-sum
No trade-offs should be made in order to achieve legitimate and necessary design goals. For example, both privacy and security are paramount and businesses should not have to make sacrifices in either area to achieve both. GDPR privacy by design and GDPR security by design should not be contradictory objectives for a business.
- End-to-end security – full lifecycle protection
Organisations are responsible for securing personal information as long as they possess it (using appropriate methods like encryption, access controls, and permissions) and for ensuring its safe destruction when they no longer need it. Two-factor authentication, for example, is a handy feature which helps make sure that nobody gains unauthorised access to user data. It works by adding an extra step or layer of security to the identity verification process, to check that the person trying to access the account is really who they say they are.
Learn more about two-factor authentication here:
How does two-factor authentication work & why to set it
- Visibility and transparency – keep it open
Businesses must clearly document what they are doing to ensure privacy by design, and also provide easily digestible information to data subjects about what their rights are and how to exercise them.
- Respect for user privacy – keep it user-centric
Consent is required for data processing and data subjects must have a clear and easy way to both give it and withdraw it. Organisations also need to make it straightforward for data subjects to request their information, while maintaining its accuracy and relevancy at all times, and efficiently deleting or ‘forgetting’ the data subject if asked to.
(A real-life example of a company failing to do this is when Whatsapp made it compulsory to ‘tap’ and agree to sharing information while hiding the option to say no in a concertina below.)
Understanding GDPR privacy by design
GDPR privacy by design is introduced in section 25 of the Regulation, ‘Art. 25 GDPR Data protection by design and by default’.
It specifies the following requirements:
‘Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.’
In other words, following the seven foundational principles of the privacy by design approach, the GDPR requires that businesses:
- Implement appropriate technical and organisational measures which will ensure effective data protection for customer, staff, and business partner data
- Integrate safeguards like encryption, permission and access controls, two-factor authentication and more to protect data subjects rights and achieve GDPR compliance
Understanding GDPR privacy by default
Article 25(2) details the following requirements for data protection by default:
‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.’
This relates back to the fundamental data protection principles of purpose limitation and data minimisation which are also mentioned in the seven principles of privacy by design. It reiterates that businesses must only process the data which is absolutely necessary to run their operations, product, or service, and that they need to find opportunities to limit or reduce the collection where possible.
It also means that businesses need to be very clear (with explicit consent requests, notices, understandable privacy policies, etc) about what information they will collect and what will happen to it during its lifecycle. They need to readily inform data subjects what information they hold about them, keep it accurate and up to date, and provide transparent options when it comes to opting in or out of data processing activities.
The benefits of privacy by design for businesses
There are numerous benefits of adhering to the principles of GDPR privacy by design and default. Businesses who follow this approach can:
- Keep business-critical data much safer with a privacy-first mindset based on prevention, testing, and continuous improvement
- Make achieving GDPR compliance easier with a risk-based approach to privacy and security
- Reduce the probability of data breaches and fines, which also means less financial loss and reputational damage
- Gain a competitive edge with a progressive brand consumers can trust and be confident in
Who is responsible for ensuring GDPR privacy by design and default?
The parties responsible for ensuring a privacy by design approach are the following:
- Data controllers (i.e. a company’s leadership team, data protection officer, executives, etc)
- Data processors (this could be any person, products, or services used in the course of business activities like cloud storage providers, email services, file-sharing tools, etc)
The tricky part with data processors is that even though they are required to be compliant, the responsibility (and liability) remains with the contracting business as the data controllers.
Recital 78 of the GDPR explain this further:
‘When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.’
As a result, when choosing products and services that are needed for business activities, make sure that these tools have been designed in a way that takes privacy into account. It will make your compliance journey a lot simpler to work with solutions which already qualify as GDPR compliant software. This will also ensure that you don’t get into any trouble with regulatory authorities or have unnecessary data breaches due to the design of an external product or service you use.