Privacy by design & default (PbD) is a concept developed to ensure the highest levels of privacy is given to users and customers of products and services, while ensuring that a business is able to develop products and services that will be successful.
This summary guide provides details of the key characteristics of PbD, the benefits for business and how to put PbD into practice.
PbD is based on a series of principles that can be applied to the design phase of projects, from mobile applications to digital publications and almost any business practice or policy. PbD has the following characteristics:
• Privacy is the default mode of thinking
• Privacy is embedded into the design of projects
• Privacy can be “win-win” scenario (i.e. the adoption of a mindset by all stakeholders that privacy can help a project to succeed and that is compatible with all other positive objectives. As a result it is actively encouraged)
• Privacy is present in the entire life-cycle of a project/policy
• Privacy is obvious to all internal and external stakeholders. The project is transparent about the way that it achieves its goals (promoting trust, and engagement)
• Respect for the privacy of users is a fundamental belief In practice
• Ultimately PbD is proactive, engaging with projects to achieve a win-win outcome for both privacy and the business
Benefits for business
PbD leverages privacy as a competitive advantage. By implementing PbD it is possible to improve user trust, creating increased loyalty that often leads to greater amounts of data being provided and better sales growth (A Direct Marketing Association UK study found that 58% of people view trust as the most important factor when deciding to give out data). Other benefits include:
• Creates a long lasting USP
• Identifies privacy & compliance issues at the design stage
• Reduces costs of rectifying potential privacy issues
• Safeguards against future regulatory requirements
• Develops a positive organisational culture
• Facilitates compliance goals
• Acts as an early warning system to risks
• Demonstrates the commitment of an organisation to protect customers, building brand integrity
• Helps drive the strategic aims of the business
Putting PbD into practice
There are both formal and informal ways PbD can be implemented. Formally PbD can be introduced into the design process of a policy or project through the use of a Privacy Impact assessment (PIA) that assesses the potential risks to privacy of a project and flags these issues. PIAs are often integrated with the usual risk assessment processes that take place. In practice a PIA can be simple or complex, depending on the scope of the project and can be suited to the needs of the business. The main idea behind a PIA is to find ways to mitigate risks that enhance the project, not inhibit it. Formal methods will always be the most effective ways of utilising PbD but there are informal methods too.
Other ways to put PbD to work:
Understanding that PbD is a huge asset in your arsenal is the first step. From there it will naturally crop up at the planning stage of a project which involves the processing of personal data because it makes sense to include it. However, the steps below can help to implement PbD on an informal level:
• Assign a project member to act as the privacy champion, whose role it is to assert the right to privacy
• Encourage a positive “win-win” scenario by embracing all positive objectives of the project. Privacy is a positive, find ways to put it to work for the overall benefit of the project
• Integrate privacy ‘what ifs’ into the usual risk assessment process and at every major step of the project. Make it an iterative process
• Engage internal and external stakeholders to assess the risks they perceive. Their views will be key to decision making
• Utilise privacy enhancing technologies (PETS) like anonymisation techniques, authentication processes. These can be implemented from the start of a project and significantly reduce any negative privacy impact
Published March 2014
Copyright DP Network
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance to the Data Protection Act 1998 or other statutory measures referred to in the document.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.