Could privacy by design (PbD) principles benefit your efforts to protect consumer and employee privacy?
What Is Privacy by Design?
Privacy by design (PbD) is the philosophy of designing privacy protections into all your business processes, protecting the information your organization collects or handles by default.
First developed by Ann Cavoukian, Ontario’s former Information and Privacy Commissioner, the PbD framework was formalized in 1995 by a team including the Dutch Data Protection Authority and the Netherlands Organisation for Applied Scientific Research.
Starting from the premise that compliance with regulatory frameworks alone is not enough, privacy by design takes a “privacy first” approach. Logically, that should make compliance with privacy regulations easier to achieve.
For most organizations, the challenge is to keep innovating in the era of Big Data while safeguarding personal and confidential data at the same time. Finding that right balance is difficult for several reasons:
- Social networking and collaboration tools offer new possibilities, but can impose potentially serious vulnerabilities if not actively managed;
- Globalization fosters an environment where knowledge workers share information more readily, exposing organizations to a higher likelihood of information security breaches;
- Organizational boundaries are much more fluid, making it difficult to track how, where, and by whom information is stored, managed, or accessed.
Designers typically apply PbD to three areas of business operations: IT systems, business practices, and the physical, networked infrastructure. And while the principles of privacy by design work well in protecting all types of personal information, they’re especially important when safeguarding sensitive data such as medical or financial data.
Privacy by design aims to preserve consumer rights by assuring privacy and giving consumers control over their personal information. PbD also allows organizations to gain a sustainable competitive advantage. It’s most successful when privacy is incorporated into tech and systems by default — that is, designing the product with privacy as a priority.
PbD has existed as a best-practice framework since the 1990s. It became a requirement in 2018 with the passage of a groundbreaking European privacy law.
Privacy by Design and the GDPR
The European Union’s General Data Protection Regulation (GDPR), a data protection law, went into force in 2018. It requires privacy by design as well as data protection by default in all uses and applications.
Not only must organizations comply with the GDPR; they must document their PbD development processes, and present that documentation to GDPR regulators in the event of a data breach or consumer complaint.
European data protection and privacy laws are extra-territorial: they apply to all businesses that handle the personal data of EU residents, regardless of where the business is located or where the data is collected. If you serve European customers, you must comply with the GDPR.
Software developers outside the EU should consider adopting privacy by design principles within the GDPR guidelines, to provide a clear, common-sense, accountable framework for any development process.
The Principles of Privacy by Design
Published in 2009 and adopted by the International Conference of Data Protection and Privacy Commissioners (now the Global Privacy Assembly) in 2010, Anne Cavoukian’s white paper “Privacy by Design: The 7 Foundational Principles; Implementation and Mapping of Fair Information Practices” establishes the following foundational principles for privacy by design:
- Proactive not reactive; preventative not remedial.
The Privacy by Design approach is characterized by active rather than reactive measures, which anticipate efforts to invade privacy before they happen. PbD does not wait for privacy risks to materialize, nor offer remedies for resolving privacy invasion involving global laws and regulations. Privacy by Design comes before the fact, not after.
Whether applied to information technologies, organizational practices, physical design, or networked information ecosystems, PbD begins with an explicit recognition of the value and benefits of adopting strong privacy practices, early and consistently, such as preventing internal data breaches from happening in the first place. This implies:
- A clear commitment at the highest levels of the organization to set and enforce high standards of privacy, generally higher than standards set by global laws and regulations.
- A privacy commitment shared by user communities and stakeholders, in a culture of continuous improvement.
- Established methods to recognize poor privacy design, anticipate poor privacy practices and outcomes, and correct weaknesses well before they occur in an active, systematic, and innovative way.
- Privacy as the default setting.
Privacy by Design seeks to assure that personal data is protected automatically in any given IT system or business practice. If an individual does nothing, his or her privacy remains intact. No action is required on the individual’s part to protect privacy; it is built into the system by default.
This PbD principle is guided by the following Fair Information Practices (FIPs):
- Purpose Specification: the purposes for which personal information is collected, used, retained and disclosed shall be communicated to the individual (“data subject”) at or before the time the information is collected. Specified purposes should be clear, limited and relevant to the circumstances.
- Collection Limitation: the collection of personal information must be fair, lawful and limited to what is necessary for the specified purposes.
- Data Minimization: the collection of personally identifiable information should be kept to a strict minimum. No programs, communications technologies or systems should collect or process any personal information beyond what is immediately necessary.
Privacy must be embedded into technologies, operations, and information architectures in a holistic, integrative and creative way. “Holistic” meaning additional, broader contexts must always be considered. “Integrative” meaning all stakeholders and interests should be consulted. “Creative” meaning that embedded privacy protections sometimes require an organization to reinvent existing choices because the alternatives are unacceptable. Wherever possible, identifiability, observability, and linkability of personal information should be minimized.
- Use, Retention, and Disclosure Limitation: the use, retention, and disclosure of personal information shall be limited to the relevant purposes identified to the individual, for which he or she has consented, except where otherwise required by law. Personal information shall be retained only as long as necessary to fulfill the stated purposes, then securely destroyed.
- Where the need or use of personal information is not clear, there shall be a presumption of privacy and the precautionary principle shall apply: the default settings shall be those that are most privacy-protective.
- Privacy embedded into design
Privacy by Design is embedded into the design and architecture of IT systems and business practices. It is not added on after the fact. The result? Privacy becomes an essential component of the core functionality being delivered. Privacy is integral to the system, without diminishing functionality.
- A systemic, principled approach to embedding privacy should be adopted, one that relies on accepted standards and frameworks, amenable to external reviews and audits. All fair information practices should be applied with equal rigor at every step in the design and operation.
- Wherever possible, detailed privacy impact and risk assessments should be carried out and published, clearly documenting privacy risks and all measures taken to mitigate them, including consideration of alternatives and the selection of metrics.
- The privacy impacts of the resulting technology, operation or information architecture, and their uses, should be demonstrably minimized, not easily degraded through use, misconfiguration or error.
- Full functionality: positive-sum, not zero-sum
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum, “win-win” manner, rather than a zero-sum approach where unnecessary trade-offs are made. Privacy by Design avoids the pretense of false dichotomies, such as privacy versus security; it’s possible (and far more desirable) to have both.
- Embedding privacy into a given technology, process, or system should be done so that full functionality is not impaired, and that all requirements are optimized to the greatest extent possible.
- Privacy is often positioned in a zero-sum manner as having to compete with other legitimate interests, design objectives, and technical capabilities in a given domain. Privacy by Design rejects that approach. It embraces legitimate non-privacy objectives and accommodates them in an innovative, positive-sum manner.
- All interests and objectives must be clearly documented, desired functions articulated, metrics agreed upon and applied, and trade-offs rejected as often being unnecessary — all in favor of finding a solution enabling multi-functionality.
Additional recognition is given to creativity and innovation in achieving all objectives and functionalities in an integrative, positive-sum manner. Entities that overcome outmoded zero-sum choices demonstrate first-class global privacy leadership.
- End-to-end security: full lifecycle protection
Privacy by Design, embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved. Strong security measures are essential to privacy, from start to finish, to assure that all data are securely retained, then securely destroyed at the end of the process in a timely fashion. Privacy by Design thus ensures secure management of information throughout the entire “information lifecycle.”
Privacy must be continuously protected across the entire domain and throughout the lifecycle of the data in question, with no gaps in either protection or accountability. The security principle has special relevance here; without strong security, there is no privacy.
- Security: Entities must assume responsibility for the security of personal information (generally commensurate with the degree of sensitivity) throughout its entire lifecycle, consistent with standards developed by recognized standard-setting groups.
- Applied security standards must assure the confidentiality, integrity, and availability of personal data throughout its lifecycle. This includes methods of secure destruction, appropriate encryption, and strong access control and logging methods.
- Visibility and transparency: keep it open
Privacy by Design seeks to assure all stakeholders that whatever business practice or technology involved, it operates according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent to users and providers. Remember: trust but verify!
Visibility and transparency are essential to establishing accountability and trust. This PbD principle tracks to Fair Information Practices in their entirety, but for auditing purposes, special emphasis may be placed upon the following FIPs:
- Accountability: The collection of personal information entails a duty of care for its protection. Responsibility for all privacy-related policies and procedures shall be documented and communicated as appropriate, and assigned to a specified individual. When transferring personal information to third parties, equivalent privacy protection through contractual or other means shall be secured.
- Openness: Openness and transparency are key to accountability. Information about policies and practices relating to the management of personal information shall be made readily available to individuals.
- Compliance: Complaint and redress mechanisms should be established, and information communicated about them to individuals, including how to access the next level of appeal. Take necessary steps to monitor, evaluate, and verify compliance with privacy policies and procedures.
- Respect for user privacy: keep it user-centric
Above all, Privacy by Design requires architects and operators to keep individual interests uppermost, using measures such as strong privacy defaults, appropriate notice, and empowering user-friendly options.
The best Privacy by Design results are usually those consciously designed around the interests and needs of individual users, who have the greatest interest in the management of their personal data.
Empowering data subjects to play an active role in the management of their own data may be the single most effective check against abuses and misuses of privacy and personal data. Respect for User Privacy is supported by the following FIPs:
- Consent: The individual’s free and specific consent is required for the collection, use, or disclosure of personal information, except where otherwise permitted by law. The greater the sensitivity of the data, the clearer and more specific the quality of the consent required. Consent may be withdrawn at a later date.
- Accuracy: Personal information shall be as accurate, complete, and up to date as is necessary to fulfill the specified purposes.
- Access: Individuals shall be provided access to their personal information and informed of its uses and disclosures. Individuals shall be able to challenge the accuracy and completeness of the information and have it amended as appropriate.
- Compliance: Organizations must establish complaint and redress mechanisms, and communicate information about them to the public, including how to access the next level of appeal.
- Respect for User Privacy goes beyond these FIPs, extending to the need for human-machine interfaces to be human-centered, user-centric and user-friendly.
- Remove requirements for unnecessary app permissions, especially those that imply privacy invasion such as access to contacts or to the microphone.
- Audit the security of your systems (see below) so informed privacy decisions may be reliably exercised. Similarly, business operations and physical architectures should demonstrate the same degree of consideration for the individual, who should feature prominently at the center of operations involving collections of personal data.
Privacy by Design: Right for You?
Ensuring privacy and security through every phase of the data lifecycle (collection, use, retention, storage, disposal or destruction) has become crucial in avoiding legal liability, maintaining regulatory compliance, protecting your brand, and preserving customer confidence.
Achieving PbD has a number of other benefits for organizations, including:
- Assuring compliance by getting ahead of the legislative curve and minimizing compliance risk;
- Reducing the likelihood of fines and penalties, including financial losses or liability associated with privacy breaches;
- Building your brand by fostering greater consumer confidence and trust, thereby gaining a sustainable competitive advantage;
- Better managing of post-breach incidents, regaining consumer trust and confidence.
A Privacy Impact Assessment (PIA) is how you document the issues, questions and actions required to implement a healthy privacy by design process in a project. PIAs are a core requirement of GDPR; yours will determine what happens if you have a data breach or other privacy protection issue. In the event of a data protection issue, your PIA may determine the scope of an investigation by a regulatory authority.
Auditing the security of your systems involves establishing adequate technical and security measures to protect user data. You must document these measures and provide the documentation to a regulator upon request.
- Minimize the amount of data you collect.
- Minimize the amount of data you share with third parties.
- Whenever possible, pseudonymize personal data.
- Revisit contact forms, sign-up pages and customer-service entry points.
- Enable the regular deletion of data created through these processes.
- Provide clear privacy and data sharing notices.
- Embed granular opt-ins through these notices.
- Don’t require social media registration to access the app.
- Don’t enable social media sharing by default.
- Maintain best practices by seeking independent testing of privacy and security controls, rather than more self-reporting or testing.
Though there is no checklist of ready-made questions to help you achieve privacy by design, your organization can take these basic steps to achieve PbD:
- Create a PIA template for your business to use for all functions involving personal data (see below).
- Review contracts with partners and third parties, ensuring the data you pass on to them is being processed in accordance with PbD and GDPR. Separate consent for essential third-party data sharing from consent for analytics and advertising.
End of Engagement and Mothballing
- Periodically remind users to review and refresh their privacy settings.
- Allow users to download and delete old data.
- Delete the data of users who have closed their accounts.
- Delete all user data when the app’s life comes to an end.
Privacy by Design: Other Recommendations
Companies processing certain kinds of data must appoint a Data Protection Officer (DPO) under GDPR. This person is legally accountable for your organization’s privacy compliance, including PbD. Your DPO does not have to be in-house or full-time.
All organizations should consider voluntarily appointing a DPO to act as the “health and safety officer for privacy” and to keep the development process legally compliant.
Instead of viewing privacy by design as a checklist of boxes to be ticked because “the law says so,” organizations should use PbD to think creatively about all the ways user data can be misused, accessed, stolen, shared or combined.
Adopting PbD into your development workflow is an opportunity to improve your policies, practices and products by incorporating privacy into your organization’s culture. Your users will be better protected, your organization’s reputation will improve, and you will be well on your way to healthy and legal compliance.
Privacy by Design and ZenGRC
Tools exist to help your organization with its compliance efforts. ZenGRC from Reciprocity streamlines the execution of risk and compliance work, alerting you in real time to issues and vulnerabilities.
ZenGRC can help you manage risk and compliance with confidence, providing a flexible solution that lets you find the optimal deployment based on your needs.
Allowing you to easily remediate any weaknesses, either through security patches to software or through changes to data collection practices, ZenGRC helps your organization be better prepared to report risk assessments and remediations to other parties.
Similarly, ZenGRC can integrate new threat alerts or updated regulations into your existing compliance program as they come along.
Schedule a demo today to learn more about how ZenGRC can help you and your organization improve your cybersecurity posture.