To stand out from the crowd, organizations are required to look beyond compliance with regulatory frameworks only.
Privacy by Design – Where it all started
“Do you understand, accept, and agree to the terms and conditions?” Think about the number of times your answer has been “yes,” without considering the consequences of not being informed about what you are agreeing on, what personal information of yours is being processed, for what period, and for what purposes? We all have been there. As Obar and Oeldorf-Hirsch said, this is “the biggest lie on the internet.” This, among many other examples, is proof of our collective negligence of privacy.
As we delve into the world of technological advancements, we see a constant growing number of internet users (to this day, there are more than 5 billion active internet users in the world). The past few years have unfolded the greatest data breaches in the history of the internet, leading to a great debate among the public and information security experts. Hence, privacy concerns have arisen. But, are we entirely powerless toward this invasion of privacy?
Several initiatives have been taken to address this concern. The year 1995 marks one of the most notable actions taken, with the initiative of Ann Cavoukian and the team of Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organization for Applied Scientific Research to introduce Privacy by Design, an approach to systems engineering. This approach was published in 2009 and got quickly recognized as fundamental to the protection of privacy by the assembly of International Data Protection and Privacy Commissioners in Jerusalem in 2010. The idea behind this approach was to take proactive measures and design systems in such a way so as to prevent privacy breaches rather than correct them; thus, privacy becoming the default mode of operation. The application of Privacy by Design involves embedding privacy measures into the design of various systems, mostly IT systems (e.g., when developing new IT systems, products, strategies, that involve the processing of personal data).
The 7 Foundational Principles of Privacy by Design
Privacy by Design is based on 7 foundational principles which are applicable to all sorts of personal information, with special attention given to sensitive data (e.g., medical and financial data).
1. Proactive not Reactive; Preventative not Remedial
This principle has been established with the purpose of anticipating and preventing privacy-related events, not after, but before they occur.
2. Privacy as the Default Setting
This principle requires the automatic protection of data in any system or database without further action required by persons whose data are being processed. This means that the protection measures are built by default.
3. Privacy Embedded into Design
Privacy by Design is embedded in the early stages of the design and architecture of IT systems and business practices.
4. Full Functionality – Positive-Sum, not Zero-Sum
This principle involves the integration of both privacy and security, into systems, without having to sacrifice or give up one for the sake of the other. This is a positive-sum approach.
5. End-to-End Security – Full Life cycle Protection
This principle ensures that personal data are secured throughout the processing life cycle, until they are no longer needed and destroyed accordingly.
6. Visibility and Transparency
It is of utmost importance that all information regarding the processing are transparent and visible to the parties concerned. This includes specifying the purpose for the usage of data, the time needed for the processing, and so forth.
7. Respect for User Privacy
By adhering to this principle, companies ensure that the interests of individuals are not disregarded. Individuals should be informed of their rights to give and withdraw consent, to request access to their personal data, and to request for modification and erasure of their data.
Privacy by Design in the Context of the GDPR
The General Data Protection Regulation is among the most renowned regulations in the EU law that sets out rules related to the protection of personal data. The main purpose of this regulation is to safeguard the rights and freedoms of individuals with regard to the protection of their personal data.
The territorial scope of the GDPR covers organizations operating in the EU and those who market their products to, or process the personal data of, EU residents. Infringement of this data protection regime is costly, depending on the nature and the severity of the violation. Businesses of any type or field of operation can be subject to administrative fines. For less severe violations, they can be subject to a fine of up to €10 million, or 2% or the annual turnover of the previous fiscal year, whichever is higher; for serious infringements, businesses can be subject to a fine of up to €20 million or 4% of the annual turnover of the previous fiscal year, whichever is higher.
So, should you be worried?
Most likely, yes! If you control, process, or store any personal data of EU residents, the GDPR will apply to you. The GDPR also specifies that if you have another organization or entity (also known as processor in the regulation) perform the processing of personal data on your behalf, you must ensure that they, too, are compliant with the requirements of the GDPR. They are not, however, responsible for the data protection by design obligations.
The data protection by design obligations have been introduced now legally in the GDPR, Article (25), which specifies that:
…the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
Additionally, the regulation introduces the concept of Privacy by Default, which further demands the protection of personal data as a default property of systems and services:
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.”
In short, this regulation obliges you to implement technical and organizational measures (e.g., pseudonymization) with the intent of minimizing the processing of personal data that is necessary for the specific purpose of processing.
What is the best thing to do?
Taking into consideration the fact that our world has become a global village, chances that you have European residents registered in your systems or databases are very high. So, probably the best thing to do is check your compliance with the GDPR, conduct assessments, and make sure that you do not commit any personal data breach. Besides demonstrating commitment, as an organization, you will show respect toward your customers’ rights and freedoms and consequently increase their satisfaction.
Privacy by Design in the New Decade
Following the international acceptance as a legal requirement by the International Assembly of Privacy Commissioners and Data Protection Authorities, many countries and companies from both public and private sectors recognized the importance of adopting and incorporating Privacy by Design in their business activities.
In 2012, the U.S. Federal Trade Commission (FTC), in a report, called for companies to implement best practices (among which is Privacy by Design) with regards to customer information who further included it as a key pillar in its Final Commissioner Report on Protecting Consumer Privacy. Privacy by Design has been adopted by the Commissioner for Privacy and Data Protection for the State of Victoria (CPDP) in Australia as a core policy for information privacy management in the public sector.
In 2014, the European Union Agency for Cybersecurity (ENISA) issued their first Report on Privacy and Data Protection by Design, following a more detailed Report on Privacy by Design in Big Data, which aimed at examining Privacy by Design strategies and tools.
Privacy by Design and Privacy by Default were also included in the Mauritius Declaration on the Internet of Things made at the 36th International Conference of Data Protection and Privacy Commissioners. In January 1, 2020, the California Consumer Privacy Act (CCPA) became effective. The first law of its kind in the U.S., the CCPA regulates how businesses worldwide handle the personal information of California residents with the purpose of enhancing privacy rights and consumer protection. Efforts were made in the private sector too, including Sidewalk Toronto, Microsoft, Deloitte, etc. The list is lengthy.
The good news for all professionals around the world is that ISO is also working on the development of a new standard (ISO/AWI 31700) on Privacy by Design for consumer goods and services.
Recently, PECB MS has partnered with KPMG Canada for conducting Privacy by Design assessments, where KPMG assesses an organization’s product, service, process, or system using an assessment methodology structured around the 7 Foundational Principles of Privacy by Design, international privacy legal requirements (e.g., GDPR), privacy and security standards, and industry best practices. An organization is eligible to be assessed by PECB MS, which reviews KPMG’s Privacy by Design Assessment Report. If satisfied on its own criteria, PECB MS will issue a Privacy by Design Certification Seal for the organization’s product, service, process, or system that serves as proof of compliance and commitment, consequently gaining competitive advantage and customer trust.
Prevention is always better than correction.”
With the ever-growing advancement in technologies and the usage, collection, and retention of personal information, it is a win-win situation for both organizations and users to make a privacy comeback in 2020. Fostering trust and building relationships with your customers by embedding privacy when designing systems and carrying out business operations will definitely offer you opportunities to fulfill the market demands and provide a better online experience for all internet users around the globe.