Privacy by design is one of the pillars of the GDPR, but how shall be done in practice to fully comply with it?
The title of one of my previous blog posts was “The Internet of Things needs privacy by design“. At that time, I meant that in a regulatory environment where it is so uncertain what regulators require with evolving new technologies, such as the IoT, only a privacy by design approach can place a company on the safe foot of GDPR compliance. Indeed, being able to prove to
- have run all the tests and reviews necessary to ensure privacy compliance from the very beginning when a product/service is designed and
- have reached the reasonable conclusion that privacy is adequately protected
is crucial, especial in the light of the accountability principle that puts the burden of proving privacy compliance on the investigated party.
Given the relevance of this principle, as part of the series of blog posts on the major changes introduced by the EU Data Protection Regulation (GDPR), here is an article on how to put in place a privacy by design methodology.
No guidelines on privacy by design under the GDPR
There aren’t at the moment guidelines on how to implement a privacy by design approach, but below are in my view the top 6 principles to bear in mind modelled on the principles originally forged by the Ontario data protection authority which is the father of the privacy by design approach and updated in the light of the GDPR. Below is a short summary in my videoblog “Diritto al Digitale” in Italian and a more detailed analysis in English:
1. Adopt a privacy by design proactive approach in the identification of privacy issues
A policy shall be put in place under which
- any IT, marketing or other employee or consultant that is developing any product/service processing personal data within the company or on its behalf shall perform, from the very beginning of the designing of the product/service, a screening of the measures intended to be put in place to ensure privacy compliance, which is usually performed by means of a standard form attached to the policy;
- such screening shall be subject to an internal review of the same by all the other stakeholders of the company that will use or contribute to it, including the data protection officer or, in its absence, the internal/external privacy expert; and
- the review will escalate into a privacy impact assessment if the product/service is expected to pose high risks for the privacy of individuals or falls within the categories for which the PIA is required under the GDPR and
- if it appears that the processing through the product/service would result in high risk in absence of measures taken to mitigate it, a prior consultation with the competent data protection authority.
The above procedure shall be part of the company accountability policy which shall be outlined to employees and consultants through ad hoc trainings or e-learning programs with final tests to be repeated at least on a yearly basis. This is to ensure that they are “educated” to ensure privacy compliance.
2. Embed privacy into the design
The same internal data protection policy referred above shall outline the requirements to be followed in the design of products/services from the very beginning, avoiding the frequent scenario where privacy compliance is reviewed only a few days prior to the launch when no change is possible. As mentioned above, this policy shall be notified to and accepted by employees/consultants that shall be educated to comply with it.
3. Implement an end-to-end security system
Adeguate security measures shall be put in order to ensure security during the whole lifecycle of products/services. This requires not only the ability to remotely update devices, but also to guarantee that when a product is dismissed all the data stored on that is deleted with no possibility for anyone to access to it. This is particularly relevant in the light of the obligations applicable in case of data breach under the GDPR.
The reason of such principle is the privacy by design does not apply only during the initial design of the product/service, but during its entire life, with reference to updates/upgrades and events that impact its functioning.
4. Ensure visibility and transparency
A full transparency shall be guaranteed as to the modalities of processing of personal data through products/services. This is due also to the higher level of detail of information that the privacy information notice to be provided to users shall contain. In particular, the term of storage of data shall be indicated therein and organisation and technical measures ensuring that it is complied with shall be put in place.
5. Privacy shall be set by default
Products/services shall be set by default in a manner ensuring the minimum level of sharing of personal data, leaving to the free decision of customers to decide whether a larger amount of data shall be shared. This requires to comply with also the “data minimisation” principle under which no more data than necessary to achieve a purpose shall be processed and the obligation to pseudonymise data to guarantee their security and is one of the backbones of GDPR principles.
6. Keep a user-centric approach
Users shall remain in full control of their data which requires that no implied consent is allowed and that they can easily decide and change the amount of personal data they want to disclose, also easily exercising their right of access, of being forgotten and their GDPR data portability right.
The list might be longer, but these are my top 6 principles to ensure a privacy by design approach and what are yours? You can review the other posts of this series and a presentation summarizing the privacy by design principles below