What is privacy by design and privacy by default in GDPR?
That’s a big topic, and it can be challenging to understand all the ins and outs. But we’ll go over what privacy means for your company and any technology or GDPR context you might need!
Privacy has many dimensions: economic (the right incentives), social(inclusive measures), political values like free speech, etcetera… So let me start by explaining how each affects the data protection Act differently.
What does privacy by design mean?
GDPR privacy by design is an Article 25 obligation to ensure privacy and data protection in personal data processing activities. The law mandates companies to address privacy and data protection issues in any project, product, service or system design phase. Data protection by design is ultimately an approach that ensures you ‘bake in’ data protection into your processing activities and business practices. In short, GDPR’s Privacy by design can be achieved by:
- Deploying appropriate technical and organisational measures designed to implement data protection principles and,
- Integrate data security safeguards into the processing activities so that companies meet the GDPR’s compliance and protect the rights of their customers.
What does privacy by default mean?
GDPR privacy by default is another obligation of Article 25, which requires companies to restrict their data processing activities only if necessary for a specific goal. In particular, Data protection by default requires business entities to collect data for a legitimate interest, specifying that data before its processing starts, timely inform data subjects before collecting this data, and the only process the data needed for the specific purpose.
This principle also highlights the involvement of data minimisation and purpose limitation, which are the vital requirements of GDPR. In brief, privacy by default can be achieved by:
- We implement data privacy-first procedures and strategies with default systems and business application settings.
- Ensuring a business does not provide the illusion of choice to individuals relating to the data they will process. This means that individuals require no action to maintain their privacy as it is already built into the system by default.
- Limiting the processing activities for any additional data unless the individual provides their consent.
- Make sure that the personal data of any individual is not automatically made publicly available to others unless that individual decides to make it so and,
- Providing individuals with enough controls and options to exercise their rights.
What is the difference between privacy by design and default?
The difference between privacy by design and privacy by default is that privacy by design is the requirement to address privacy in the early designing phase of any product, service, or project. Often this will be at the same time that a data protection impact assessment (DPIA) is handled by the business entities, enabling it to identify and assess the data privacy risks and challenges associated with the product, service or project and how these can be best mitigated.
Privacy by default requires that user settings should have the most privacy-friendly setting as the default setting. Under the GDPR, companies are obligated to implement appropriate organisational and technical measures by default, for example, data minimisation, i.e. only personal data which is necessary for each specific purpose of the processing is processed. For addressing privacy by default, there is a greater importance on employing data minimisation techniques such as pseudonymisation so that only the minimum amount of data required is collected and processed.
To brush up your GDPR quiz knowledge, read our extensive GDPR questions and answers for employees.
Seven foundational principles of privacy by design
The concept of privacy by design contains seven underlying principles that explain how to achieve data privacy compliance in the early stages of any projects, systems or services. These seven principles are as follows:
1. Proactive, not reactive/preventative, not remedial
The first principle, i.e. Proactive, not Reactive/Preventative, not Remedial, states that data privacy needs to come up at the initial stage of the planning process. If an organisation’s robust security measures consist of putting out fire extinguishers and dealing with data breaches, then the organisation is being reactive. This principle sets up the foundation of the rest of the principles by developing a culture of ‘privacy awareness’ across the board.
2. Privacy as the default
The second principle is privacy as default, meaning privacy must be at the forefront of what an organisation does with any data processing. It requires restricting mass data sharing, using data minimisation, deleting data that is no longer in use, and involving personal data processing on a legal basis. It also means using opt-in and opt-out rights for data subjects and data security safeguards for privacy considerations.
3. Privacy embedded into the design
The third principle is the idea about privacy needs and concerns during the designing phase of any project, product, system or service. In other words, data privacy is a core functionality of the product. Organisations should deploy encryption at rest and in transit, authentication and authorisations, testing vulnerabilities and conduct penetration tests regularly. It doesn’t matter if a product satisfies clients’ requirements, as there will be a greater risk if it bears a design flaw that leads to severe security vulnerability.
4. Full functionality
Principle four seeks to accommodate all legitimate interests and objectives in a “win-win” manner, requiring a balance between growth and security. It states that if a business entity reduces privacy functionality, that business is doing it wrong. Adopting appropriate technical and organisational measures to achieve the ideal state of security and confidentiality required by its business infrastructure should be needed. The involvement of data privacy should not overshadow the functionality of the business.
5. End-to-end security
The fifth principle talks about the End-to-End security principle. There is a long debate that data protection follows data throughout its whole lifecycle, i.e. from collection to deletion or removal. Encryption and authentication are the standards at every stage of data processing, but data protection also needs to go beyond other stages. Let us take an example as an organisation that should only collect data they need for a specific purpose and have a legal basis for processing. And when the organisation has achieved that particular purpose and is finished with the data, that organisation should use GDPR-compliant deletion methods for end-to-end data protection. So before collecting any data, the retention period and data deletion mechanism of that data should be decided.
6. Visibility and transparency
7. Respect for user privacy
Finally, principle seven concludes the concept of privacy by design, that everything needs to be done by putting the data subject or customer at the heart of any development process. It means acknowledging that even if a company collects data from their clients or customers, it belongs to them from whom a company have collected.
All data subjects can make requests to access and withdraw their consent for the use of their data. Suppose their data is to be re-used for any other purpose than that for which it was initially collected. In that case, the company needs to inform its customers again of the new purpose of data processing.
Why do companies need to implement this?
The concept of privacy by design can be explained by its name as, after all, who on this planet would want to have their data monitored or get compromised. Well, no one wants that to happen, and for that business, entities need to work pro-actively about designing frameworks or implementing data privacy policies and procedures from scratch.
Privacy by design framework ensures that data protection and security are embedded throughout the entire life cycle of systems and services, from the early design stage through deployment, use and ultimate disposal or disposition.
Data privacy is a major concern these days as of the growing development of regulations and laws in different jurisdictions, namely the US, Europe and Asia. The business that lies in these jurisdictions must comply whether they reside in that specific jurisdiction. The scope of these laws is much more enormous, and any business deals with the data of their consumers, customers or data subjects need to address data protection and privacy mechanisms at some level.
Suppose data privacy is not addressed at the initial stage of any data processing. In that case, there is a chance that companies would require a lot of technical resources and human effort to assess and mitigate privacy risks for the developed projects. Moreover, many businesses would fall under the penalty of significant laws like GDPR if they processed their data and did not put privacy risks on the frontline.
The idea is to build privacy and data protection principles directly into technology, systems and practices at the design phase and default settings, thereby ensuring privacy and appropriate controls from the origin.
Does your business need to implement privacy by design and by default?
To answer this question, an organisation may need to answer the following questions first:
- Are we processing EU or UK residents’ data?
- Does my company come under the direct obligations of GDPR, or does it act as a vendor who receives data from a GDPR-compliant business?
As for the first question, if the answer is yes, then definitely the principle of privacy by design and by default should be addressed in all policies and procedures of that business as it comes under the direct obligations of GDPR and needs to be fully compliant. If not sure on this topic yet, you must learn the eight principles of DPA 2018 & GDPR to understand the requirements.
Discuss your concerns today
Suppose the answer to the first question is negative and the business comes under the second category. In that case, the company may need to comply with the contractual obligations of data privacy. These obligations relate to the data protection and privacy which concerns privacy by design and default at some level. Still, again that is all dependent upon the contractual requirement from the clients.
Even if your assessment reveals your business does not have to comply with the GDPR, Privacy by design is still a good start for achieving data privacy as a good industry practice. Implementing privacy by design exhibits an understanding of the value of personal data both to the business and to the customers. It acknowledges that privacy and individual control over data is a major rights.
How do you implement GDPR privacy by design and default?
As per industrial standards like NIST Privacy Framework or ISO 27701, the following points should be considered a good starting point to implement privacy by design and default:
Obtaining top management support
To make a significant change to the company’s culture in terms of data protection and privacy, organisations need executive-level support. This is truly non-negotiable as top management communication is more crucial if a company is building its privacy program from scratch. Having said that, without the support of top management, the implementation of privacy by design and default is impossible and vague.
Leverage existing security tools and resources to automate the process
The smart strategy to address data protection and safeguard personal data processing is using the existing controls and resources to run the process smoothly. During this process, a company should gradually opt for privacy-enhancing technologies to implement data protection mechanisms within budget.
Learn about the product or service and its privacy requirement
Track down all the products and services that involve personal processing data. Identify the scope of GDPR data processing activities and, based upon the severity of processing, deploy technical controls, i.e. encryption, data minimisation, pseudonymisation and organisational controls, i.e. data retention policy, software development lifecycle policy or procedures.
Assess against the appropriate framework
To run privacy by design and by default mechanisms effectively, it is important to establish an appropriate framework against which companies will assess their data privacy posture. That right framework really depends on the specifics of business needs and organisational structure. Companies may deploy NIST frameworks or ISO based on their needs and budget. Also, suppose the budget allocation or resources are not enough in the area of data privacy. In that case, an organisation may develop their data privacy framework and address privacy by design and default principles in their practices.
Data privacy training and awareness
Employee training is a key to reinforcing privacy by design and default principles and educating staff on their data protection obligations. Highlighting data privacy awareness during onboarding of new hires and annual training is helpful to keep privacy top of mind for employees and to know the company is considering it seriously.
Discuss your concerns today
Some examples of operationalising privacy by design and default
An organisation that deploys data protection by design will:
- Initiate the process of DPIA (data protection impact assessment) when considering a new system, service, product or process that involves processing personal data.
- Implement technologies, tools, and policies to highlight and mitigate the privacy risks identified during the DPIA or PIA (GDPR).
- Write website privacy policies and notices in simple, easy-to-understand language and,
- Inform data subjects with the name and contact details of their data protection officer or the resource responsible for data protection if it has not been appointed.
Privacy by default examples could be:
- Not to be involved in misleading choices, i.e. to ask users to provide their consent if a company is going to process their data anyway using another legal basis.
- Make sure that an individual’s data is not made publicly available to others without consent.
- Giving data subjects a simple, user-friendly method for adjusting their privacy settings and exercising their data subject rights.
- Not to be involved in mass data collections until and unless have a legitimate purpose for the collection and enough resources to safeguard that data.
- Following industry best practices while collecting and storing personal data.
The GDPR aims to give data subjects more power over their personal data and manage their privacy risks with its principles. One of the principles is privacy by design and by default, i.e. the formalisation of the Article 25 GDPR’s requirement.
Implementing the most privacy-friendly option as a default setting will give data subjects a solid choice over which parts of their data can be used. Similarly, incorporating privacy by design during the development phase of services, products or projects is the only way to successfully cater for the data privacy risks.
To begin with the journey of assuming data privacy in business, security measures and privacy controls should be embedded into every new product, feature and process that collects and use the personal and sensitive information of data subjects. For small to medium businesses, these procedures provide an opportunity to maximise business reputation and gain data subjects’ trust.