Privacy By Design Principles and Practices
Introduction
What Is Privacy by Design?
Today, privacy is not only an ethical imperative, but also a basic human right. And Privacy by Design is a way of reinforcing that human right.
Privacy by Design is the concept of building privacy into everything we do. In our interconnected world, where personal information is shared freely, privacy is more important than ever.
Inherent in the concept of Privacy by Design is the feature of Privacy by Default, which means that the strictest privacy settings should apply by default to business activities and processes, without any action required from the end user.
New Requirements
While Privacy by Design is not a new idea, the General Data Protection Regulation (GDPR) makes it a legal requirement (as well as Privacy by Default, which is treated as a distinct element under the GDPR). Any business that falls under the scope of the GDPR is required to implement a Privacy by Design strategy and adhere to its seven foundational principles and the ten Fair Information Practices (FIPs) associated with it.
Principles and Practices
The Foundation Principles
There are seven foundational principles relating to Privacy by Design:
- Proactive Not Reactive; Preventative Not Remedial
- The starting point for Privacy by Design is the recognition of the value and benefits of proactively adopting strong privacy practices. Privacy by Design anticipates that even strong privacy practices may fail and establishes methods to correct negative impacts before they occur.
- Privacy as the Default Setting
- Privacy is built into IT systems or business practice by default. This doesn’t give individuals a free pass to be careless with data, but it does mean safeguards are already built into the system to keep data protected without requiring any affirmative action of users.
- Privacy Embedded into Design
- Privacy is embedded into—and becomes a natural component of—the design and architecture of everything we do, taking into account the big picture, with all stakeholders and interests being considered. There should be enough creative flexibility to reinvent things if they don’t appear to be working. Business activities and processes that existed before the general adoption of Privacy by Design principles should be reviewed and maintained to ensure the implementation of measures and safeguards consistent with the foundations of Privacy by Design.
- Full Functionality; Positive-Sum, Not Zero-Sum
- Privacy by Design isn’t only concerned with satisfying an organization’s privacy goals; it’s about satisfying all legitimate business objectives, ensuring data is accessible and usable when appropriate. A positive-sum result from Privacy by Design is an indication of its successful application. Leadership in Privacy by Design will be increasingly regarded as a competitive advantage for businesses.
- End-to-End Security; Full Life Cycle Protection
- Privacy by Design extends throughout the entire life cycle of the data it is protecting. This end-to-end approach ensures that information is securely retained, and ultimately destroyed or anonymized, in a timely manner. With respect to security, it is essential that Privacy by Design programs take account of current, state-of-the-art progress in technology.
- Visibility and Transparency – Keep It Open
- Privacy is an enabler of trust, which is why visibility and transparency into protections and policies are essential components of any effective Privacy by Design strategy. A key component of transparency is timely, comprehensible disclosure: prior to disclosing personal information, users should have a fair understanding of what they can expect with respect to the processing of such information.
- Respect for User Privacy – Keep It User-Centric
- Privacy by Design must always be user-centric. The best results are typically those that are consciously designed around the needs of those individuals who have a vested interest in how their personal information is managed. Special consideration should be given to vulnerable classes of users, such as children.
Fair Information Practices (FIPs)
The Global Privacy Standard has one overarching objective: to create a single harmonized set of universal privacy principles. There are ten privacy principles, sometimes referred to as Fair Information Practices (FIPs):
- Consent
- Accountability
- Purpose Specification
- Collection Limitation
- Use, Retention, and Disclosure Limitation
- Accuracy
- Security
- Openness
- Access
- Compliance
The Ethics of Privacy by Design
We’ve looked at the principles and practices associated with Privacy by Design, and now it’s time to consider the ethical importance of adopting them. Privacy must be embedded into every standard, protocol, and process. Why? Principally because privacy is recognized as a human right but also because privacy has evolved from being solely a legal compliance requirement to a market imperative and driving force of trust and freedom in the world in matters of business and otherwise. Embedding privacy in business activities and processes demonstrates accountability, promotes trust and confidence, improves competitive opportunities, and creates reputation advantages.
Privacy By Design and GDPR
Article 25 of the GDPR encodes Privacy by Design and Privacy by Default, and makes it a legal requirement for any business that falls under the law’s scope. However, even if a business doesn’t have to comply with the GDPR, Privacy by Design is still an important approach to embrace because it is an ethical imperative, and it demonstrates an understanding and appreciation of the value of personal information and associated human rights.
Summary
Privacy by Design remains a good idea for your business, even if it isn’t required by law. When properly implemented, it constitutes a competitive advantage, demonstrating that your business recognizes the value of personal information and acknowledges that privacy and personal control of data is an important freedom and basic human right.