One of the core changes that the GDPR will introduce next year, is the concept of 'privacy by design', which wasn't touched upon in the previous Data Protection Act. If you've done a bit of swotting up on the GDPR already, you may have read that implementing privacy by design isn't a requirement of the act, as such – more of a recommendation. However, that doesn't mean you should ignore it, as it could make complying with your obligations easier, and help you build a more secure and sustainable business in the long-run. So, what is it and how can you do it?
The wording of the GDPR is ambiguous, to say the least, but the Information Commissioner's Office (ICO) has put forward a much clearer description of privacy by design, which is "an approach to projects that promotes privacy and data protection compliance from the start." It is believed to have come from the concept of 'value sensitive design', which takes human values into account throughout the entire design process, building inherently secure systems and processes, rather than bolting protection on retroactively.
So, privacy by design would come into play if you were installing a new IT system, implementing a data sharing initiative or, as a start-up, it would form an integral part of building your business from the ground up. The benefits of taking this approach are numerous, not only helping you to comply with the GDPR, but also enabling you to identify potential privacy issues earlier, address them in a simpler and less costly way, while also encouraging innovation and protecting your business reputation.
Seven foundational principles
To understand this in more detail, seven 'foundational principles' of privacy by design have been established by The Information & Privacy Commissioner of Ontario (IPC), which are designed to help businesses introduce the approach. They are:
Proactive not reactive – preventative not remedial: So, you should aim as much as possible to anticipate and prevent data privacy risks before they happen. On the flipside, you shouldn't wait for risks to materialise or take action after privacy infringements have occurred.
Privacy as the default setting: Customer information should be automatically protected by IT systems and processes. In other words, if an individual does nothing, their data should be protected. This is in keeping with the GDPR's 'opt in vs opt out' stipulation.
Embed privacy into design: This is the point about privacy being integrated into technology and systems from the beginning, not bolted on afterwards. It should be an essential component of the core functionality being delivered.
Retain full functionality (positive sum not zero sum): Privacy by design aims to avoid unnecessary trade-offs, whereby functionality or security suffers as a result of privacy – or vice versa. So, your product or service should work just as well with privacy incorporated - it should be a win-win for all objectives.
Ensure end-to-end security: This refers to the need for privacy to extend throughout the lifecycle of the data involved. It should be obtained, retained and destroyed with privacy concerns in mind.
Maintain visibility and transparency – keep it open: Processes and operations should be visible and transparent to users and providers, giving reassurance that data is being treated in compliance with regulations and best practice.
Respect user privacy – keep it user-centric: And finally, privacy by design should always design systems and processes in the interests of the user, with privacy defaults, appropriate notice and user-friendly options.
The role of a Privacy Impact Assessment
One of the main tools in a privacy by design approach is a Privacy Impact Assessment (PIA), which should be carried out at the beginning of any project involving personal data. The idea is to analyse the impacts that the project will have on the privacy of individuals involved, looking to minimise these as much as possible, while also complying with the seven principles above. According to advice from the Information Commissioner's Office, a PIA should involve:
Plotting and analysing information flows: How information will be obtained, used and stored as part of the project
Identifying any privacy and related risks: This could be risks to individuals as well as risks to organisations through regulatory action or reputational damage
Identifying and evaluating solutions to overcoming or removing those risks: Analysing both impact on privacy, the project outcome and the cost involved.
Consulting with people who will be working on or affected by the project: This could be internal and/or external audiences, enabling them to highlight risks based on their own expertise or perspective.
Working through this process at the beginning of any new project puts you in a good position to bake privacy into its execution, while also aiding compliance with other aspects of the GDPR, such as accountability, which calls for a paper trail around data protection.
Overall, privacy by design requires a shift in mindset and approach, which puts privacy front-and-centre of how organisations operate. It might not come easy to begin with, but with the data mountain continuing to grow, and organisations facing increasing penalties and reputational damage for shirking their responsibilities, the future of your business could depend upon it.