Privacy by design and by default
Privacy by design and by default
April 13 2023
The implementation of the General Data Protection Regulation (GDPR) may lead enterprises to see privacy as a regulatory burden and to focus primarily on compliance methods. Protecting private information has significant and obvious implications for everyday life, a company-wide privacy culture is key to successfully build a privacy culture. MyData-TRUST can assist your company in fulfilling these methods. Let’s take a look at what “Privacy by Design and by Default” means and how our services can help you.
The GDPR introduced two key principles for future project planning: Data Protection by Design and Data Protection by Default. While both principles have previously been suggested as good practices, they are now established in law under Article 25 of the GDPR. Data Protection by Design and by Default principles apply solely to data controllers. However, manufacturers of products and services that use personal data are encouraged to implement these principles.
Data Protection by Design
Data Protection by Design requires early incorporation of data privacy considerations into project design. As a result, Privacy and Data Protection are imbedded core system functionalities in addition to what the system was built to do in the first place. Organizations have to understand how Data Protection by Design works in the GDPR and implement its principles. MyData-TRUST can help you with this by training your team and giving you the opportunity to consult our Data Protection Officers who have extensive experience in a variety of sectors (legal, IT, life sciences). Respecting the Data Protection by Design principle, requires organizations to have appropriate technical and organizational measures designed to implement the Data Protection principles effectively and integrate safeguards into the processing to comply with the GDPR’s requirements and protect individual rights.
Data Protection by Default
Data Protection by Default means that once a product or a service is released to the public, the strictest privacy settings should be applied by default, with no user input required. Data Protection by Default requires data controllers to process only the personal data required for each purpose. In addition, personal data should only be kept for the amount of time necessary to provide the product or service. This principle is linked to the fundamental Data Protection principles of data minimization and purpose limitation.
To better understand the underlying concepts of Privacy by Design and by Default consider the Seven Fundamental Principles of Privacy by Design that were established in writing in 2009. Although privacy by design is not necessarily equivalent to data protection by default, these fundamental principles can nonetheless underpin any approach.
The seven principles are as follows:
- Proactive rather than reactive; preventative rather than remedial: Businesses should always aim to prevent privacy issues, rather than reacting to them as they happen. One way to do this is to conduct regular risk analyses to identify potential privacy and data risks and their impact on the business; MyData-TRUST is specialized in carrying out Data Protection Impact Assessments (DPIAs), which help build data processing systems that respect data privacy by using a structured methodology for assessing the risks involved with an activity. The DPIA assists in demonstrating the company’s GDPR compliance and records the approach taken to Data Protection by Design and Default.
- Privacy as the Default Setting: Any system or process in an organization must be designed so that privacy and data are protected. When collecting the data, ensure to have legal grounds for any data collected, only collect data that is required, and delete any data that is no longer needed or used.
- Privacy Embedded into Design: When designing new processes or activities, privacy and security should be just as important as the business goals.
- Full Functionality – Positive Sum, not Zero Sum: This means that it makes no sense to add additional security measures after designing a new process. This would make security feel more like an afterthought. By working with privacy and security from the start, the idea is to create a win-win situation: privacy and efficiency, privacy and functionality.
- End-to-End Security – Full Lifecycle Protection: This principle reiterates that data protection measures should be implemented proactively, before any information is collected. Moreover, these measures should be maintained throughout the entire data lifecycle, until the data is timely and securely destroyed at the end of the process. Therefore, data protection should be the default at every stage of the lifecycle.
- Visibility and Transparency: A business should be open and transparent to the people that it collects data from and inform them about what data is collected, for what purposes, how it is processed, how protection is ensured, what their rights are, and the possibility to ask questions and file complaints. Essentially, this boils down to having a clear and understandable Privacy Notice.
- Respect for User Privacy: It is important to always try to keep the interests of the user in mind when designing systems and practices. Design them in a clear, user-friendly way that provides users with strong privacy defaults, appropriate notice, and a clear overview of their collected data. This principle also refers to the fact that the user always remains the owner of their data. In the end, a business is just “borrowing” customer data, and customers should be able to withdraw their consent for this at any time.
Finally, designing systems and processes that respect Privacy by Design and by Default offers numerous benefits, such as increased Data Protection in the organization, reducing the likelihood of data breaches, and knowing what data it holds, making it easier to map and control the data (keeping it up to date as required) and deleting or archiving legacy data according to its retention.
We are here to support you
MyData-TRUST’s goal is to provide strategic, operational, and organisational support, thereby contributing significantly to the success of the Data Protection implementation. From data protection impact assessments, transfer impact assessments, creating and reviewing procedures, GDPR training, and every other privacy practice in between, our company can help you build a culture of privacy that respects the core values of Data Protection by Design and by Default.