Privacy by Design

One of the striking aspects of GDPR is not the massive volumes written on the subject but what is not said. The relative absence of criticism is striking.  Indeed, most of the criticism that does exist seems to be half-hearted complaints as to the burden compliance will place on organisations with a background of experts worrying that loopholes exist. Quite an achievement that. It was no surprise to see an Economist leader article recently calling for The US to take GDPR as guidance for its own legislation.

One of the reasons that we at Zen are GDPR fans is that it carries the baton of one of the principles that we are founded on Privacy by Design (PbD). The concept of PbD was initially developed by Ann Cavoukian in the late 90’s while she was Information and Privacy Commissioner of Ontario. By 2010,it was quickly taken up by the global community in the form of the annual assembly of International Data Protection and Privacy Commissioners. Article 25 of GDPR deals with PbD.

As a Data Controller, Data Processor or Application Owner the amount of advice open to you is almost crippling. It seems to us that every company in the hardware, software or business consulting space is keen to pitch their credentials for their product or service as the panacea for all of your GDPR worries. We’ll not compete with that and largely leave them to it. However, here are some thoughts on PbD, why it’s important, what you should be asking your suppliers and what you should be doing and thinking.

The aim of the PbD Framework is to prevent privacy infractions from occurring by anticipating them before they happen and has 7 Foundational Principles. Here are the practical measures that you can take to ensure the principle is embedded in your organisation.

Proactive not Reactive; Preventative not Remedial

  • Obtain Senior Leadership commitment to a strong, proactive privacy program.
  • Ensure that concrete actions, not just policies, reflect a commitment to privacy.
  • Monitor through a system of regularly reviewed metrics.
  • Develop systematic methods to assess privacy & security risks and to correct any negative impacts well before they occur.
  • Encourage privacy practices demonstrably shared by diverse user communities and stakeholders, in a culture of continuous improvement.

Full Functionality – Positive-Sum, not Zero-Sum

  • Acknowledge that multiple, legitimate business interests must coexist.
  • Understand, engage and partner – Practice the 3Cs – communication, consultation and collaboration, to better understand multiple and, at times, divergent interests.
  • Pursue innovative solutions and options to achieve multiple functionalities.

Privacy as the Default Setting

  • Adopt as narrow and specific a purpose(s) for data collection as possible – begin with no collection of personally identifiable information – data minimization.
  • Minimize the collection of data at the outset to only what is strictly necessary.
  • Limit the use of personal information to the specific purposes for which it was collected.
  • Create technological, policy and procedural barriers to data linkages with personally identifiable information.

Privacy Embedded into Design

  • Make a Privacy Risk Assessment an integral part of the design stage of any initiative, e.g. when designing the technical architecture of a system, pay particular attention to potential unintended uses of the personal information.
  • Base identity metasystems on the “Laws of Identity,” intended to codify a set of fundamental principles to which universally adopted, sustainable identity architecture must conform.
  • Consider privacy in system development lifecycles and organizational engineering processes. System designers should be encouraged to practice responsible innovation in the field of advanced analytics.
  • Embed privacy into regulatory approaches that may take the form of self-regulation, sectoral privacy laws, omnibus privacy legislation and more general legislative frameworks, calling for an approach guided by “flexibility, common sense and pragmatism”.

End-to-End Security – Full Lifecycle Protection

  • Employ encryption by default to mitigate the security concerns associated with the loss, theft or disposal of electronic devices such as laptops, tablets, smartphones, USB memory keys and other external media. The default state of data, if breached, must be “unreadable.”
  • Deploy encryption correctly and carefully integrate it into devices and work flows in an automatic and seamless manner.
  • Ensure the secure destruction and disposal of personal information at the end of its lifecycle.

Visibility and Transparency – Keep it Open

  • Make the identity and contact information of the individual(s) responsible for privacy and security available to the public and well known within the organisation.
  • Implement a policy that requires all “public-facing” documents to be written in “plain language” that is easily understood by the individuals whose information is the subject of the policies and procedures.
  • Make information about the policies, procedures and controls relating to the management of Personal Information readily available to all individuals
  • Consider publishing summaries of PIAs, TRAs and independent, third party audit results.
  • Make available a list of data holdings of Personal Information maintained by your organisation.
  • Make audit tools available so that users can easily determine how their data is stored, protected and used. Users should also be able to determine whether the policies are being properly enforced.

Respect for User Privacy – Keep it User-Centric

  • Offer strong privacy defaults.
  • Provide appropriate notice.
  • Consider user-friendly options:
  1. Make user preferences persistent and effective.
  2. Provide users with access to data about themselves.
  3. Provide access to the information management practices of the organisation.

Right now, nobody, whatever they may tell you, can certify or assure that an organisation is GDPR compliant. No certification bodies exist as yet so this is another area to be wary of any company offering certainty. The fact is that PbD principles predate and hugely influence GDPR and in many ways are a great stepping stone to the more full and very daunting checklists that can be found on this site and elsewhere.