Privacy by design (PbD) is a concept that many would think is reserved for academics and the public sector but they would be wrong! Given the significant emphasis on PbD in the draft Data Protection Regulation, it is a management tool that most organisations will have to adopt in future to be compliant with the law.
I was appointed as an Ambassador for PbD by Ann Cavoukian (Information Commissioner for Ontario, Canada) several years ago for my work on the ePrivacy Directive (the Cookie Law). She said that the work had the key concept of Privacy by Design at its heart but to me it was based on the knowledge that privacy can be a win-win scenario for both consumers and businesses. Give the users the tools they need to protect themselves and they will not only value the choice you give them but they will probably use your services more because they trust you – essentially that is PbD.
How did it come about and how does it work in theory?
PbD was a concept thought up by Ann Cavoukian that has spawned a whole new way of integrating privacy into both products and business processes and policies. It is based on 7 principles that are designed to embed privacy into the entire lifecycle of projects (from apps to accountable business practices) and to view privacy as a positive sum game (win-win).
Respect for the privacy of users and consumers can actually allow a business to leverage privacy as a competitive advantage, through a process called the “Privacy Payoff”.
How can it be used in practice?
PbD can sound intimidating and complex at first. It often sounds like Privacy Impact Assessments (PIA) are a huge disruption to the process of getting a project off the ground but that doesn’t have to be the case. There is currently no legal requirement for most organisations to carry out a PIA (the formal part of PbD) and carrying out a full PIA is often not the first step that organisations choose to take.
In the first instance huge benefits can be gained by simply introducing the concept and principles of PbD into your organisation, namely that privacy is an objective of the organisation and that it can help drive customer trust, brand value and improve the bottom line. Distributing information about the principles of PbD to internal stakeholders can contribute to getting management buy-in and foster a positive attitude amongst colleagues.
Another step that many organisations should take is appointing a person to “carry the torch” for PbD. This may be someone in management or it might be someone in the Data Protection function. Getting the word out about PbD is a vital step.
Moving beyond the concept
Once you have convinced management and colleagues that PbD will save on costs, improve brand value and customer loyalty and you have begun introducing the values of PbD to stakeholders across the business, you may wish to try applying PbD to a small project to test it out.
The ICO has developed an excellent PIA handbook for organisations to use and it is a great place to begin. However, it is not a simple process. I would strongly recommend taking the PIA process and adapting it to fit your needs and resources. After all, it is not legally prescribed yet (for most organisations) and by adapting the PIA process, it will give you something that works for your unique organisation, gives you flexibility and importantly allows you to test where the PIA process needs to be improved or where there are points of resistance. To start with, choose a project that has a relatively small scope or a business unit that would be most open to adapting its risk assessment process to include PbD. From there you can open it up to larger projects to take advantage of economies of scale.
The Seven Principles:
- PbD is proactive not reactive
- Privacy is the default setting
- Privacy is embedded into design
- Full functionality (positive sum or all positive/legitimate objectives are considered)
- End to End security
- Visibility and Transparency (all stakeholders can see what is going on – independent verification is sometimes useful and an internal DPO could achieve this as long as they are sufficiently independent)
- Respect for user privacy
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.