ON THIS PAGE
The General Data Protection Regulation (GDPR) suggests several ways for organizations to approach data protection. One of which is the legal approach called Privacy by Design, mentioned in Article 25.
What does Privacy by Design mean, why it is important for the GDPR, and how can you implement it? Read the blog to find out.
What Is Privacy by Design?
Privacy by Design was first mentioned in a 1990 report published by Ontario’s Information and Privacy Commissioner, Ann Cavoukian, defining Privacy by Design as the “philosophy and approach of embedding privacy into the design specifications of various technologies.”
Since then, it has become accepted as a best practice supported by data protection authorities worldwide.
Basically, Privacy by Design means incorporating data protection practices into projects, products, and technologies at the outset of the processes, and implementing a proactive approach to privacy.
Privacy By Design and the GDPR
Privacy By Design contains two approaches, referred to as “data protection by design” and “data protection by default,” both of which are related to Privacy by Design.
Article 25 of the GDPR states: “The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”.
Many other privacy laws around the world generally follow the GDPR, also requiring implementing the Privacy by Design approach for personal data management. Quebec’s Law 25, South Korean PIPA, Switzerland’s FADP, Brazil’s LGPD, and other privacy laws require to built-in personal data protection system and/ or appointment of a person, responsible for the data protection.
Why Should Companies Care about Privacy by Design?
First, the Privacy by Design principle is required by some data protection authorities.
For example, in November 2022, the Irish Data Protection Authority issued a €265 million fine against Meta, saying that Meta failed to comply with GDPR’s privacy by design and default.
Second, users are concerned about their data privacy and in most cases choose products or services based on the company’s attitude towards privacy.
2022 research by Google and Ipsos showed that neglecting users’ privacy is almost as unsatisfactory as that of a data breach. 43% of individuals said that they would switch their preferred brand to a new one if the latter proposed a better privacy experience.
Overall, the Privacy by Design approach could have many benefits for companies:
- Comply with data privacy laws.
- Avoid data breaches and fines by data protection authorities.
- Avoid risk to brand reputation.
- Build users’ trust and confidence, standing out from the competitors.
Implementing Privacy by Design requires embedding data privacy in your company’s culture.
CookieScript Consent Management Platform can help you to comply with all major privacy laws, including the GDPR, avoid data breaches and fines by data protection authorities, and build users’ trust and confidence by respecting user privacy.
The Seven Privacy by Design Principles
The concept of Privacy by Design is based on seven fundamental principles.
- Proactive not reactive; preventative not remedial
This privacy-first attitude required taking a proactive rather than reactive approach. Instead of reacting to privacy risks when they happen, companies should actively implement adequate procedures and implement secure practices to identify privacy risks and prevent data breaches before they happen.
- Privacy as the default setting
Companies are suggested to design their system with privacy-by-default features so that minimal effort is required to keep personal data safe, personal data is automatically protected, and there is little or no possibility for misuse of the data. Such privacy features could be data minimization, data encryption, anonymization, deletion of data when you no longer need it, etc.
- Privacy embedded into design
Companies should take a privacy-first approach, i.e. they should develop and implement a product, process, or system from the beginning, building privacy into design. For example, companies should use encryption and authentication, delete data when it is no longer needed, and regularly check for privacy risks.
- Full functionality – positive-sum, not zero-sum
Privacy should be a positive-sum goal, a “win-win” situation between the company and its customer, not a zero-sum goal. Companies shouldn’t trade off between privacy and other functionalities. They can have privacy, profit, and growth without sacrificing anyone of them. For example, it’s not a good practice to limit access to certain features for the exchange of their data.
- End-to-end security – full lifecycle protection
Strong security measures are essential to privacy from start to finish. Companies should ensure data security throughout the full lifecycle of data, starting from data collection to sharing it with third parties, and finishing with data deletion.
For example, companies should only collect data that you need and for which you have a legitimate interest.
Respectively, companies should sign corresponding contracts with third parties regarding personal data management. Companies should use only specific devices and secure company networks for data transfer, avoiding insecure public networks for the transfer of personal data to third parties. They can establish internal policies to ensure that all employees are trained and know how to manage personal data.
- Visibility and transparency
Privacy by Design requires documenting and communicating privacy-related actions clearly, consistently, and transparently. Being open with users about your privacy policies and procedures will build trust in the company. Communicate procedures consistently through privacy policies. All information should be information should be open and easy to understand. Companies should provide access to users’ data or any other request regarding data privacy through user-friendly platforms.
- Respect for user privacy
Companies should be user-centric, they should implement strong privacy-by-default safeguards, user-friendly choices, and communicate privacy-related actions clearly.
For example, when they need to get user consent to process individual data, they should provide them with sufficient information, that is clearly written and easy-to understand, and should not prevent users from using services if the consent is not given or try to trick them into giving consent by other ways.
Frequently Asked Questions
What Is Privacy by Design?
Why should companies care about Privacy by Design?
First, the Privacy by Design principle is required by some data protection authorities like GDPR to comply with data privacy laws. Second, users are concerned about their data privacy and in most cases choose services based on the company’s attitude towards privacy. CookieScript CMP can help you to protect user privacy and comply with all major privacy laws.
Does GDPR require Privacy by Design?
Article 25 of the GDPR requires Privacy by Design. Specifically, it requires making privacy the default setting, taking a privacy-first approach, building privacy into the design, and using technical and organizational features to protect EU citizens’ privacy and comply with the GDPR, like data minimization, data encryption, anonymization, deletion of data when you no longer need it, etc. CookieScript CMP can help you to comply with the GDPR and other privacy laws.
What are the principles of Privacy by Design?
The concept of Privacy by Design is based on seven principles: proactive not reactive; privacy as the default setting; privacy embedded into the design; full functionality – positive-sum, not zero-sum; end-to-end security – full lifecycle protection; visibility and transparency; and respect for user privacy. Read CookieScript blog to be updated on privacy laws and new regulations.