Privacy by Design with GDPR EU Regulations
Privacy by Design with GDPR EU Regulations is described by Wikipedia as ‘not about data protection’ but instead ‘designing so data doesn’t need protection’ with the ‘root principle based on enabling service without data control transfer from the citizen to the system’.
For example, GPS on your mobile can detect its geographical location without giving that data or your identity away.
What does privacy by design mean in the context of the GDPR?
Privacy by design is a new regulation for the EU, within the GDPR. The EU Data Protection Directive does not refer to the concept. This means that data controllers will have to take the necessary actions to protect personal data until GDPR comes into force in May 2018.
What does GDPR state? Paragraphs 1 and 2 of article 25 outline Data Protection by Design and Data Protection by Default.
- Firstly, Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
- Secondly, The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
Also, The companies who do not implement privacy by design (such as social media) may have a big difference between their privacy policies and their privacy controls.
In 2016, WhatsApp may have shown this difference when updating their Terms and Conditions. Users had to agree to share their personal data with Facebook companies, and many wouldn’t have seen the option to opt-out, which was hidden with the sharing of their WhatApp data to improve ‘Facebook ad targeting and product experiences.’
What are the principles of privacy by design?
The ICO gives us a nice initial summary encouraging “organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:
- firstly, building new IT systems for storing or accessing personal data;
- secondly, developing legislation, policy or strategies that have privacy implications;
- embarking on a data sharing initiative; or
- also, using data for new purposes.”
The ICO gives the summary reassuring “Organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle. For example when:
- building new IT systems for storing or accessing personal data;
- developing legislation, policy or strategies that have privacy implications;
- embarking on a data sharing initiative; or
- using data for new purposes.”
- Proactive not reactive; preventative not remedial
- purpose specification – explaining to users how personal data is collected, processed, retained and disclosed.
- collection limitation – fair, lawful and limited to that which is necessary (also applies to data processing, retention and disclosure).
- data minimization − non-identifiable interactions and transactions as default. Wherever possible, identifiability of personal information should be minimized.
Users should be aware of their right to:
- prevent processing for direct marketing;
- object to decisions being taken by automated means;
- claim compensation for damages caused by a breach of the Act.
Respect for User Privacy
Privacy by design will ensure companies will receive marketing consent from users.
- without pre-ticked boxes – i.e. the user must actively tick to opt-in;
- granular – with separate consent for different types of processing;
- your organisation and any third parties who will be relying on consent should be named;
- reversible – tell people they have the right to withdraw and detail how to do it.
How Will the EU Enforce Privacy By Design?
The GDPR states that voluntary and transparent certification will be available through the appropriate certification body. It is not clear who this would be.
Although privacy by design is still an unclear concept, and may seem insignificant when compared to other parts of GDPR, it is obvious that privacy by design is necessary from organisations. This commitment will show that organisations are working towards full compliance.