Privacy by Design: Evolve Beyond Compliance & Enforce Responsible Use of Data
November 5th, 2023
On September 26, the International Association of Privacy Professionals (IAPP) offered a conference on privacy by design, where the concept of privacy by design was explored. It refers to “data protection through technology design” and emphasizes integrating data protection measures into technology during its creation. This article discusses the importance of privacy by design and its integration with data protection principles, as outlined in the General Data Protection Regulation (GDPR).
Privacy by Design Principles and Implementation
Let us start with the concept of privacy by design. It means nothing more than “data protection through technology design”. Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated in the technology when created.
And according to article 25 of the General Data Protection Regulation, or the GDPR, the controller shall, both at the time of the determination of the means of processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization. These measures are designed to implement data protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
This means that companies must create and implement a compliance strategy through policies and security measures to protect personal data that must be implemented throughout the company and in all its processes. Regarding this obligation, the panel believes that building trust is the most important thing when developing your compliance strategy.
Unfortunately, most of the time, companies put everything right on paper (policies) but in reality they are doing things very differently. This is not a great way to build trust. The important thing is what you do and not what you put in writing. Your policies need to reflect your reality, and this is not rocket science. You only need to put the actions you take to comply with the data protection framework, as well as those to be performed by your internal teams.
Now, to help with the construction of your compliance strategy, the first step that was recommended is to follow the standard ISO 27001 Information security management systems as well as its privacy extension, ISO 27701 Security techniques — Extension to ISO/IEC 27001 and ISO/IEC 27002 for privacy information management. Both standards will help align processes in security, thus facilitating the creation of privacy governance programs.
You can then follow the standard ISO 31700 Consumer protection — Privacy by design for consumer goods and service. This standard is like the house structure for privacy compliance. The document establishes high-level requirements for privacy by design to protect privacy throughout the lifecycle of a consumer product, including domestic data processing by the consumer.
 Intersoft consulting, Key Issues “Privacy by design”, https://gdpr-info.eu/issues/privacy-by-design/
 European Parliament and Council of the European Union, General Data Protection Regulation, 2016, Art. 25.
Guidance for Privacy Professionals
The panel suggested companies to address the standards and to create data-oriented strategies to implement on a system level. This will help them comply with privacy by design obligations from the creation of their systems and/or contracting of third-party services, through to the evaluation of the systems, and this will facilitate the execution of all the standard operational procedures to assure privacy by design.
Another topic that the panel talked about was the responsibility of privacy professionals to advise and guide their companies/clients regarding how to implement privacy by design, and for those professionals who do not necessarily have a tech background, they recommended:
A great way to start advising and guiding your clients is through an assessment. The panel comments that the IAPP has excellent templates for privacy assessments. You can check them online, here some examples:
- Privacy impact assessment report (PIA): https://iapp.org/resources/article/2012-06-22-privacy-impact-assessment-report-template/
- Data protection impact assessment (DPIA): https://iapp.org/resources/article/template-for-data-protection-impact-assessment-dpia/
- Transfers impact assessment (TIA): https://iapp.org/resources/article/transfer-impact-assessment-templates/
Privacy by Design and Artificial Intelligence
Finally, another important topic that was highlighted in the talk was the use of artificial intelligence (AI).
AI is a broad term used to describe an engineered system where machines learn from experience, adjusting to new inputs, and potentially performing tasks previously done by humans. More specifically, it is a field of computer science dedicated to simulating intelligent behavior in computers. It may include automated decision-making.
The panel considered that within the framework of privacy by design and when using AI, two types of scenarios must be separated:
The first one is when you are using AI as a productivity-increasing tool. In this scenario, you need to know who is using AI inside the company and for what purposes, is it based on company premises or is it an external cloud? This is why it is important to implement a policy within your organization to put order, or in some cases, deny the use of certain services. For example, putting personal data in ChatGPT can be a data breach, because it is a public database and you cannot control the use or access to that data.
The second one is when you are incorporating AI in the services that you are offering to your clients. In this scenario you must indicate to the client that you are using AI, and you also need to protect the content generated with AI, because copyright does not protect it. Also, it is important to take into account data ethics, and this may vary depending on the country where you are.
When implementing this type of technology, it is important for internal engineers and solution architects to have a good communication with privacy and legal teams to address personal data implications from the beginning of the project. Look at the technology and see how the privacy is going to apply. This is the way to comply with privacy by design.
A suggestion for privacy professionals is to have tech knowledge and constantly update your knowledge. The IAPP has a new Artificial Intelligence Governance Professional training that teaches how to develop, integrate, and deploy trustworthy AI systems in line with emerging laws and policies.
In conclusion, the talk was quite helpful to understand different points of view in relation to the implementation of privacy by design. It is very important that privacy professionals know how to identify data processing at all stages, so that they can advise on privacy compliance at each stage.
There is no doubt that privacy by design is a tool that facilitates compliance for companies, and that, of course, can save time and effort in unwanted situations such as a data breach or in an audit.
We recommend companies to approach MyData-Trust to receive advice from experts and to create their privacy compliance strategy.
 IAPP, Resource center “Artificial intelligence”, https://iapp.org/resources/article/artificial-intelligence-3/