Privacy by Design: 7 Important Principles
Many businesses are reactive when it comes to data privacy, which was highlighted with the recent enactment of the General Data Protection Regulation. We see that when a new privacy regulation or law is enacted, many businesses have to scramble around to try and make their products and practices complaint before an often fast-approaching deadline. Certain aspects of compliance, like updating a privacy policy or adding a cookie banner to your website, are straightforward changes. What can be more difficult is trying to apply privacy fixes to a product that has already been fully designed and released, especially when that product is a software program or technology-based application or service. Patches and workarounds after-the-fact are often not as effective, and in some cases can be difficult, or nearly impossible, to actually implement.
Unfortunately, not much can be done to fix a previously designed product except to apply these patches or workarounds. But moving forward, a framework called Privacy by Design can help alleviate these problems in the future, and will ensure that your products and practices remain privacy compliant.
Privacy by Design was a concept proposed by Dr. Ann Cavoukian, a leading privacy expert, and the head of Ryerson University’s Privacy by Design Centre of Excellence in Canada. Privacy by Design aims to guide organizations to include privacy from the initial design stages of a new product. By merging privacy with the design of a product, good privacy can be ensured from the start. Using this framework is not only going to help with future privacy laws, but is actually required specifically by the GDPR for organizations to consider as they design products.
Privacy by Design is set around seven foundational principles, which I’ll talk about below:
- Proactive not reactive: preventative not remedial
Privacy by Design aims to have organizations become proactive about data privacy by identifying privacy concerns before they happen, and not always just reacting to concerns or problems after-the-fact. This will reduce the risk of a major privacy issue occurring, and help reduce some of the organization’s workload in the long-run.
- Privacy as the default setting
Privacy by Design seeks to ensure that an individual’s data privacy is always protected as the default; an individual should not have to act themselves to protect their privacy. By having good privacy already built into a system, you can always be sure that a customer using your product has all of the appropriate pieces in place to protect their personal information, while keeping in line with the law.
- Privacy embedded into design
Privacy should be a consideration from the initial stages of a product’s development and design. This makes privacy a core component of the product’s functionality. By starting early with privacy, you ensure that the product is privacy-compliant from the get-go, and you eliminate the need for patches or add-ons in response to privacy concerns. You also won’t end up trading in privacy for diminished functionality.
- Full functionality: positive-sum, not zero-sum
In the past, many companies saw privacy through a zero-sum approach, where privacy would be maximized only at the expense of other aspects of the product, e.g. privacy versus functionality, privacy versus security, etc. You could only have privacy if you sacrificed something else. Privacy by Design tells us that we can have privacy and everything else in more of a positive-sum, ‘win-win’ situation. By using Privacy by Design, all aspects of the system, including privacy, can be improved and maximized. For example, functionality doesn’t have to suffer with increased privacy protection if you design your functionality with privacy in mind. It is always possible to include privacy and have both sides win.
- End-to-end security: full lifecycle protection
Security is an important aspect of data privacy: without good security, the information you hold cannot be protected, and personal information is put at risk. Privacy by Design ensures that good security is present for the data in question throughout its entire lifecycle, from collection to deletion.
- Visibility and transparency: keep it open
Making sure your customers and employees are informed of your organization’s privacy practices is important. By being open about privacy, you are demonstrating that it is important to your organization and that you can be trusted with personal information. It also shows that you have nothing to hide from your customers.
- Respect for user privacy: keep it user-centric
In the end, personal data ultimately belongs to the individual it came from. A company is only granted the permission to use this data in well-documented and transparent ways. Giving individuals user-friendly options and robust privacy settings will promote the interest of the individual, while upholding their privacy rights. As always in business, it really is all about the customer.
By applying these seven principles, companies can design better products that are privacy compliant. You can avoid the mad-dash towards compliance every time a new law is put in place; just because you survived the GDPR doesn’t mean you’ll be ready for the next law or regulation that comes out! This also means that you are giving your customers the best possible product, and one that will better protect their privacy. In the digital world today, people are looking for companies they can trust with their data, and following Privacy by Design principles will go a long way toward that.
More information about Privacy by Design can be found from the Ryerson University Privacy by Design Centre of Excellence.
Luke Henderson is privacy officer at Velsoft Training Materials.