Privacy by design and by default

Article

Privacy by design and by default

April 13 2023

The implementation of the General Data Protection Regulation (GDPR) may lead enterprises to see privacy as a regulatory burden and to focus primarily on compliance methods. Protecting private information has significant and obvious implications for everyday life, a company-wide privacy culture is key to successfully build a privacy culture. MyData-TRUST can assist your company in fulfilling these methods. Let’s take a look at what “Privacy by Design and by Default” means and how our services can help you.

The GDPR introduced two key principles for future project planning: Data Protection by Design and Data Protection by Default. While both principles have previously been suggested as good practices, they are now established in law under Article 25 of the GDPR. Data Protection by Design and by Default principles apply solely to data controllers. However, manufacturers of products and services that use personal data are encouraged to implement these principles.

Data Protection by Design

Data Protection by Design requires early incorporation of data privacy considerations into project design. As a result, Privacy and Data Protection are imbedded core system functionalities in addition to what the system was built to do in the first place. Organizations have to understand how Data Protection by Design works in the GDPR and implement its principles. MyData-TRUST can help you with this by training your team and giving you the opportunity to consult our Data Protection Officers who have extensive experience in a variety of sectors (legal, IT, life sciences). Respecting the Data Protection by Design principle, requires organizations to have appropriate technical and organizational measures designed to implement the Data Protection principles effectively and integrate safeguards into the processing to comply with the GDPR’s requirements and protect individual rights.

Data Protection by Default

Data Protection by Default means that once a product or a service is released to the public, the strictest privacy settings should be applied by default, with no user input required. Data Protection by Default requires data controllers to process only the personal data required for each purpose. In addition, personal data should only be kept for the amount of time necessary to provide the product or service. This principle is linked to the fundamental Data Protection principles of data minimization and purpose limitation.

To better understand the underlying concepts of Privacy by Design and by Default consider the Seven Fundamental Principles of Privacy by Design that were established in writing in 2009. Although privacy by design is not necessarily equivalent to data protection by default, these fundamental principles can nonetheless underpin any approach.

The seven principles are as follows:

Proactive rather than reactive; preventative rather than remedial: Businesses should always aim to prevent privacy issues, rather than reacting to them as they happen. One way to do this is to conduct regular risk analyses to identify potential privacy and data risks and their impact on the business; MyData-TRUST is specialized in carrying out Data Protection Impact Assessments (DPIAs), which help build data processing systems that respect data privacy by using a structured methodology for assessing the risks involved with an activity. The DPIA assists in demonstrating the company’s GDPR compliance and records the approach taken to Data Protection by Design and Default.
Privacy as the Default Setting: Any system or process in an organization must be designed so that privacy and data are protected. When collecting the data, ensure to have legal grounds for any data collected, only collect data that is required, and delete any data that is no longer needed or used.
Privacy Embedded into Design: When designing new processes or activities, privacy and security should be just as important as the business goals.
Full Functionality – Positive Sum, not Zero Sum: This means that it makes no sense to add additional security measures after designing a new process. This would make security feel more like an afterthought. By working with privacy and security from the start, the idea is to create a win-win situation: privacy and efficiency, privacy and functionality.
End-to-End Security – Full Lifecycle Protection: This principle reiterates that data protection measures should be implemented proactively, before any information is collected. Moreover, these measures should be maintained throughout the entire data lifecycle, until the data is timely and securely destroyed at the end of the process. Therefore, data protection should be the default at every stage of the lifecycle.
Visibility and Transparency: A business should be open and transparent to the people that it collects data from and inform them about what data is collected, for what purposes, how it is processed, how protection is ensured, what their rights are, and the possibility to ask questions and file complaints. Essentially, this boils down to having a clear and understandable Privacy Notice.
Respect for User Privacy: It is important to always try to keep the interests of the user in mind when designing systems and practices. Design them in a clear, user-friendly way that provides users with strong privacy defaults, appropriate notice, and a clear overview of their collected data. This principle also refers to the fact that the user always remains the owner of their data. In the end, a business is just “borrowing” customer data, and customers should be able to withdraw their consent for this at any time.

Finally, designing systems and processes that respect Privacy by Design and by Default offers numerous benefits, such as increased Data Protection in the organization, reducing the likelihood of data breaches, and knowing what data it holds, making it easier to map and control the data (keeping it up to date as required) and deleting or archiving legacy data according to its retention.

We are here to support you

MyData-TRUST’s goal is to provide strategic, operational, and organisational support, thereby contributing significantly to the success of the Data Protection implementation. From data protection impact assessments, transfer impact assessments, creating and reviewing procedures, GDPR training, and every other privacy practice in between, our company can help you build a culture of privacy that respects the core values of Data Protection by Design and by Default.

Angela-Georgiana Cimpoeșu

Data Protection Manager

Nicole Rensonnet

DPO & Onboarding and Continuing Training Lead

Lets Get in Touch

> Back to all news

Cookie	Duration	Description
cookielawinfo-checkbox-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Necessary".
cookielawinfo-checkbox-non-necessary	1 year	This cookie is set by GDPR Cookie Consent plugin. The cookies is used to store the user consent for the cookies in the category "Non-necessary".
CookieLawInfoConsent	1 year	The cookie is used to store the summary of the consent given for cookie usage. It does not store any personal data
wp-wpml_current_language	1 day	No description

Cookie	Duration	Description
APISID	1 years	Set by YouTube on pages with embedded YouTube video
CONSENT	20 years	To store cookie consent preferences
HSID	2 years	Set by YouTube on pages with embedded YouTube video
hustle_module_show_count-embedded-3	Session	To allow the display of a pop-up
LOGIN_INFO	2 years	Set by YouTube on pages with embedded YouTube video
PREF	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SAPISID	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SID	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SIDCC	1 year	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
SSID	2 years	Set by YouTube to store your measured bandwidth; It does not gather information identifying a visitor
VISITOR_INFO1_LIVE	8 months	This cookie is set by Youtube. Used to track the information of the embedded YouTube videos on a website.

Cookie	Duration	Description
_ga	2 years	This cookie is installed by Google Analytics. The cookie is used to calculate visitor, session, campaign data and keep track of site usage for the site's analytics report. The cookies store information anonymously and assign a randomly generated number to identify unique visitors.
_gat_gtag_UA_135556958_1	1 minute	Google uses this cookie to distinguish users.
_gat_gtag_UA_135556958_2	1 minute	Google uses this cookie to distinguish users.
_gid	1 day	This cookie is installed by Google Analytics. The cookie is used to store information of how visitors use a website and helps in creating an analytics report of how the website is doing. The data collected including the number visitors, the source where they have come from, and the pages visted in an anonymous form.

Cookie	Duration	Description
hustle_module_show_count-embedded-3
inc_optin_popup_long_hidden-1

Cookie	Duration	Description
__Secure-3PAPISID	2 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting
__Secure-3PSID	2 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting
__Secure-3PSIDCC	1 years	Builds a profile of website visitor interests to show relevant and personalized ads through retargeting
DSID	12 days	To serve targeted advertisements that are relevant across the web
IDE	1 year	To serve targeted advertisements that are relevant across the web
RUL	1 year	Used to determine whether website advertisement has been properly displayed
YSC	session	Set by YouTube on pages with embedded YouTube video

Privacy by design and by default

Privacy by design and by default