Privacy by Design

What is Privacy by Design [PbD]?

Privacy by Design refers to a software development approach that considers privacy concerns from the beginning of the design process. It is the process of ensuring that all personal data collection, processing, storage, and destruction measures are designed to protect privacy.

Privacy by Design is all about "baking" data protection into your processing activities and business applications at the design stage. Under the GDPR, it is a legal requirement for you to implement appropriate technical and organizational measures to enforce data protection principles and protect individual rights effectively.  

This is called "Data protection by design and by default." (GDPR Article 25)

How can your business comply?

 Data protection by Design requires you to consider data protection and privacy in everything you do. 

In this way, it enables you to comply with the fundamental principles and requirements of the GDPR, emphasize accountability, and transparently show that you are processing data responsibly.

To comply with this principle, you should review the privacy considerations that may arise when developing new IT systems, services, products and processes, policies, and processes. DPIAs (Data protection impact assessments) are an essential part of data protection by Design and by default process, ensuring that all personal data collection, processing, storage, and destruction measures are designed to secure privacy. 

When you understand the threats to data subjects' rights, it is much easier to put safeguards in place, allowing you to take necessary safeguards and incorporate them into your designs from the beginning.

Key principles of Privacy by Design

Ontario's Information and Privacy Commissioner (IPC) published a comprehensive primer on privacy by Design in the 1990s, which has since been updated and remains an authoritative source on ensuring privacy in business applications by default. 

It establishes seven data protection concepts through Design.

Proactive not reactive; preventative not remedial. 

Privacy as the default setting.

Privacy embedded into Design.

Full functionality – positive-sum, not zero-sum. 

End-to-end security – full lifecycle protection. 

Visibility and transparency – keep it open.

Respect for user privacy – keep it user-centric. 

10 Steps to embed Privacy by Design – Healthy practices

1- Do you have a lawful basis for processing "personal data"? Review your purpose(s) before the information is collected or used for a new purpose. Inform data subjects about their rights and options.

2- Handle personal data open and transparent manner. Provide clear and easy-to-find information on the policies and procedures for handling personal data, and let people know about significant changes.

3-Minimize the amount of personal data processed and the number of third parties involved, anonymize or pseudonymize the data where possible, and delete personal data when no longer required.

5-Determine the conditions for using or disclosing personal data and limit the use and disclosure of personal data for direct marketing purposes.

6-Make sure that the personal data collected, used, or disclosed is correct, up-to-date, and complete.

7-Protect personal data and take technical and organizational measures. (Ensure Security)

8-Establish the terms and circumstances for accessing personal information and carefully define the authorizations.

9- Define complaint procedures, and provide information on privacy breaches, including sanctions and compensation.

10-Establish controls at the operational, functional, and strategic levels to ensure personal data's integrity, confidentiality, and availability throughout its lifecycle.

Privacy compliance: Have appropriate internal controls, independent audit mechanisms, periodic audits, and privacy risk assessments.

‍