Privacy-By-Design… We can hear you groaning already!
If you have absolutely anything to do with handling private data in your organisation then we’re sure the 25th May 2018, the day GDPR came into force, has been indelibly burned into your mind.
Companies, organisations and businesses were scrambling to secure their data to comply with the new regulations (and you’d be surprised how many still are), but it didn’t have to be that difficult.
That’s where Privacy-By-Design steps in to help…
What Is Privacy-By-Design?
Privacy-By-Design is an approach to creating a system that empowers data protection, privacy compliance and an individual’s right to privacy from the get-go.
Under Privacy-By-Design, protecting and anonymising data isn’t something that’s just bolted on at the very end of a project (if at all). Instead it becomes an integral part of both the current project and your organisation’s culture going forwards.
It’s worth noting here that although Privacy-By-Design isn’t specifically called for under GDPR, the benefits to its implementation within your organisation will be immeasurable when conforming to Data Privacy legislation (we’ll come back to this point at the end of this article).
Problems with Privacy-By-Design come when attempting to implement it with older, less secure systems.
Many organisations still struggle with legacy issues when introducing the principals of Privacy-By-Design and that’s where the experience of a privacy specialist partner can prove invaluable (*cough, shameless cloudThing plug, cough).
The reason organisations struggle is that a lot of older systems can’t enable or support modern data security best practices which help maintain confidentiality, integrity and the availability of data.
The solution then becomes one of trying to add patch over patch to make it work or stepping back and seeking a way to integrate it into those same legacy systems that mitigates data breaches and keep your organisation compliant with GDPR (or whichever legislation is applicable to your region).
Privacy-By-Design’s Foundational Principles
Privacy-By-Design can, perhaps, best be defined by looking deeper into each of its seven foundational principles…
- Proactive Not Reactive; Preventive Not Remedial – Any approach to Privacy-By-Design should be proactive, not reactive. Rather than responding to privacy concerns as they occur, a Privacy-By-Design enabled system should try to anticipate and then prevent any invasive practises before they occur. It’s not there to help you respond to risks or breaches once they’ve occurred, its purpose is to make sure they don’t occur in the first place.
- Privacy As A Default Setting – A Privacy-By-Design system should put an individual’s privacy first (the clues in the name!). If an individual does nothing, their privacy should still remain intact without having to sign in, opt out, re-register or unsubscribe. The individual’s privacy needs should come first, by default, never as an afterthought.
- Privacy Embedded Into Design – Privacy-By-Design shouldn’t just be a cultural goal for your organisation. It should be embedded into the very design and Business Architecture of your IT systems and entire organisation. It should never be seen as a nuisance or a reactive protocol but instead a core component of all your Business and IT architecture.
- Full functionality; Positive Sum, Not Zero-Sum – Any Privacy-By-Design system that you implement into your organisation, should, by default, seek to support all legitimate interests and goals your organisation has in a positive-sum (or win-win) manner. Conversations should never be held about trade-offs regarding goals, functionality or privacy (a zero-sum approach.) Privacy-By-Design skips over any seemingly contradictory goals, such as privacy vs security, instead making sure both are possible to achieve in a complimentary fashion.
- End-To-End Security: Full Lifecycle Protection – Privacy-By-Design isn’t a one-time thing that an organisation can just ‘do’ then move on. It’s something that should extend throughout the lifecycle of the data you hold and the systems you hold it on. It should ensure that your systems are compliant for the entire lifecycle of the data you hold, erasing it in a timely fashion as well as ensuring your system stays private and secure with any future updates you might implement.
- Visibility & Transparency, Keep It Open – Privacy-By-Design should give an organisation confidence in their business practises, technology and culture. Confidence that they’re being operated in a way that aligns them with the organisation’s goals whilst providing complete transparency to both staff and end users alike.
- Respect For User Privacy, Maintain A User-Centric Perspective – Before anything else though, Privacy-By-Design should require all Business Architects involved with an organisation (both internal and external) and system operators to keep the interests of the end-user at the forefront of their mind.
Why Is Privacy-By-Design So Important?
As we’ve already mentioned, Privacy-By-Design isn’t (yet) necessary to be GDPR compliant.
However, implementing a Privacy-By-Design culture within your organisation will help you both be, and stay, compliant much more successfully than any other method.
It’s a powerful tool in both mitigating potential GDPR breaches and building trust with the public.
Creating a Privacy-By-Design system that places privacy above all else has multiple benefits, including…
- It helps identify privacy risks early, allowing developers to adapt to and change your systems to address issues before they become organisation wide (and thus much more costly to fix).
- It will increase awareness of data protection, GDPR and privacy in general across your organisation, helping with brand reputation.
- It will have immeasurable benefit in showcasing how your organisation has met its legal obligations should you be called upon to demonstrate them, either by the ICO after a Data Breach or by a potential new client undertaking due diligence.
Ultimately GDPR will continue to evolve (and more and more countries will adopt similar legislation if they haven’t already).
Privacy is going to be the key issue that concerns consumers in the coming years.
Instead of adapting to new regulations as and when they become law, Privacy-By-Design allows your organisation to get ahead of that and focus on more important goals by future proofing your business now, something we at cloudThing refer to as Build Future.
We talk a lot about Big Data, Machine Learning, Deep Learning and Artificial Intelligence and in the coming years those terms will become standard for most sectors and industries but are going to open an organisation up to a world of hurt if they haven’t yet sorted out protecting an individual’s right to privacy.
That’s why Privacy-By-Design is the solution you need; if not now, then soon.