Understanding privacy by design

Feb 10, 2020
The General Data Protection Regulation mandates organisations to embed privacy by design into the development of new initiatives involving the use of personal data. Donal Murray discusses the impact of privacy by design from a practical perspective, and explores its benefits.

The General Data Protection Regulation (GDPR) has changed European privacy rules significantly. The introduction of the concept of privacy by design (PbD) is one of these changes but many organisations have struggled to understand what it entails. For those that have adopted PbD correctly, the burden of GDPR compliance can greatly decrease while also having the potential to achieve operational as well as commercial gains.

What is privacy by design?

PbD is a requirement placed on organisations that must comply with the GDPR. The specific requirement is detailed in Article 25 of the regulation. PbD holds that organisations must consider privacy at the initial design stages and throughout the entire development of new products, processes or services that involve processing personal data. This means that privacy is considered at the earliest of stages and reduces the risk of privacy bolted onto a system or product at a later stage. While this may initially seem complex, it is, in fact, easier to implement than applying privacy considerations after a design is fully developed. 

What are the origins of privacy by design?

Although PbD has become a new legal requirement in Europe under the GDPR, the concept is not new. It originated in Canada in the mid-90s and was developed by Dr Ann Cavoukian, a recognised leading privacy expert who held the position of Information and Privacy Commissioner in Ontario for three terms. In October 2010, regulators at the International Conference of Data Protection Authorities and Privacy Commissioners unanimously passed a resolution recognising PbD as an essential component of fundamental privacy protection. It is touched upon in many well-known frameworks; however, many of them have come under much criticism.  

Why should organisations focus on privacy by design?

Privacy by design promotes a privacy-conscious culture within an organisation. If done correctly, it embeds privacy thinking into many aspects of an organisation’s operations. Further, as it focuses on early privacy considerations and checks prior to new products, systems and processes being released, it greatly decreases the risk of non-compliance with the GDPR and enables a sustainable GDPR/privacy-compliant environment as an organisation evolves. 

From an operational perspective, a strong PbD framework can present efficiencies and reduce costs. Consciously considering and planning for the personal data you want to use, the purpose for which you want to use it and how to do this legitimately greatly reduces the chance of discovering that embedding privacy is technologically challenging, expensive or even impossible at a later stage. Knowing what data you want to use at an early stage and being confident in its usage can make the development process more efficient and makes it easier to be transparent to those data subjects. Transparency is critical when it comes to earning the trust to collect the data in the first place. 

Implementing a robust framework can also present commercial advantages. It is seen as an enhancement to a brand and a key element in building trust with an increasingly privacy-conscious public. 

Implementation

While frameworks exist that cover PbD, many of them are too rigid for real benefits to be realised. The key to implementing PbD is adapting privacy to the business and not forcing a boilerplate framework. PbD is optimally implemented when privacy measures are designed based on the specific ways of working within an organisation. The approach to achieving an efficient PbD implementation consists of three steps: 

1. Identify and understand: In order to tailor privacy measures to an organisation’s operations, it is important to have a detailed understanding of your organisation’s design processes – of which there could be many across different functions. Once you identify the relevant design processes, an exercise should be performed to obtain a comprehensive analysis of the steps involved in each process. If the processes are not already formally defined, it is useful to spend time mapping the design steps as this will support later PbD implementation activities. As well as the design steps, it’s also key that you understand what teams and third parties are involved in executing the process, and the tools and formats (e.g. Excel, Word checklists) used in each. 

2. Evolve
: Once the processes and ways of working are fully understood, specific privacy measures should be designed to fit them. The objective of these measures is to ensure that certain privacy topics are considered and assessed at suitable points in the identified processes. These privacy measures could take many different forms. For example, ethical questions built into a design brainstorming session; user stories built into development; or privacy checklists asking a series of questions on the purpose of processing at the initial design stages. These measures are to be applied to identified steps within your design processes and are designed in line with how the current process works. Tailoring the measures to the current processes allows for seamless integration. Together, these set of measures create the Privacy by Design Toolkit. 

3. Establish: Implement the measures into your design processes and train employees involved in those processes to ensure the measures are understood and executed correctly. While these measures typically do not require significant process change, the main challenge is ensuring that each measure is executed consistently at the required standard. Those executing the measures are typically not privacy specialists, so educating and training individuals is a critical factor in achieving a sustainable PbD framework. 

privacy-by-design-toolkit

Think of ethics, not just compliance

There have been many public cases where personal data has been used perfectly in line with the rules, but far outside societal and ethical norms. In a PbD process, measures can be built-in to detect cases like these. For instance, to what extent an idea or initiative may be considered unethical can be found by asking a number of questions: 

  • Can I explain why I’m going to process this personal data and what I intend to do with it?
  • Would my family and friends be comfortable if their personal data was used in this idea?
  • Would I be happy to explain my idea in the daily news?
  • Does my idea match the values of the company?
Where the answers to these types of questions point towards an attitude of trying to hide the idea from the public eye or not wanting to be part of the data processing, the idea may be unethical and may need to be redesigned. 

Compliance

PbD is integral to ensuring compliance with data privacy legislation for numerous reasons. First, because effective PbD involves seeking independent testing of privacy and security controls, it helps to maintain best practices. Second, PbD builds an organisation’s brand by fostering greater consumer confidence and trust (through, for example, better management of post-breach incidents) and, in turn, supports organisations in their quest for a competitive advantage. In a reactive approach, the costs are much greater, such as through class-action lawsuits, the damage to reputation and loss of consumer confidence and trust. 

In summary, PbD reduces the likelihood of fines, penalties and the resulting financial and reputational damage, and ensures that a firm stays ahead of the legislative curve, thereby minimising compliance risk.
 
Donal Murray is a Director in Risk Advisory in Deloitte Ireland, where he leads the Data Privacy Services team.