Privacy Engineering

10 Steps to Implement Privacy By Design in your organization

Vaibhav Antil
October 9, 2020

We are living in truly exciting times, indeed, where simple 1s and 0s can chalk out and reconstruct an individual’s entire online presence. You can use them for mapping out their demographic detail, location, preferences, etc., to capture their virtual image. However, in the wrong hands, this power can leave one sprawling through the back alleys of illicit activities. 

For this very reason, user and data privacy is progressively gaining importance day by day. 

In this post, we will take a look at Privacy by Design, especially in the General Data Protection Regulation (GDPR) context, and how to make it an integral part of any organization.

What Is Privacy by Design?

Privacy by Design refers to a software development approach that considers privacy concerns from the beginning of the design process. It is the process of ensuring that all personal data collection, processing, storage, and destruction measures are designed to protect privacy.

Privacy by Design is all about "baking" data protection into your processing activities and business applications at the design stage. Under the GDPR, it is a legal requirement for you to implement appropriate technical and organizational measures to enforce data protection principles and protect individual rights effectively.  

This is called "Data protection by design and by default." (GDPR Article 25)

The 7 principles of Privacy by Design

Concerns regarding data privacy are not new. The concept of prioritizing user privacy over any other process for systems and technologies was discussed extensively in the 1970s before being formally adopted in the 1990s. Doctor Ann Cavoukian proposed the idea of Privacy by Design (or PbD), which stipulates the following seven foundational principles:

  1. Proactive not reactive; preventative not remedial.
  2. Privacy as the default setting.
  3. Privacy embedded in the design.
  4. Full Functionality - Positive-Sum, not Zero-Sum.
  5. End-to-End security - full lifecycle protection.
  6. Visibility and transparency - keep it open.
  7. Respect for user privacy - keep it user-centric.

Privacy By Design introduces a cultural change where privacy reigns supreme. Accordingly, several countries are formalizing legislature to ensure greater compliance. The GDPR, introduced in 2018, is one such law that has PbD written into it (Article 25).

10 Actionable Ways to Integrate Privacy by Design within Your Organization

Here are some ways to incorporate Privacy By Design in your organization’s framework:

 1. Announce Clear Privacy and Data Sharing Policies

Typically, websites can collect user information in two ways - automated and volunteered personal data collection. In the case of the former, the user willingly enters their information in your website forms. On the other hand, the latter occupies a greater share of data and uses cookies, tracking scripts, web beacons, etc. to identify and record your personal data.

As a result, your website should explicitly state the nature and purpose of personal information that it will collect through pop-up notifications, banner displays, etc. Moreover, the visitor must have the option to opt-out from sharing such details.

 2. Avoid Pre-Ticking Checkboxes

Checkboxes are one of the best ways to acquire explicit consent from your visitors for accessing and using their personal information. However, pre-ticking these checkboxes steal away from the choice a user may exercise. Hence, these boxes must always stay unchecked by default. In case the process cannot progress without their consent, a better practice would be displaying a prompt nudging them to tick the checkbox. 

 3. Incorporate Just-in-Time Notices

Privacy By Design principle #6 focuses on the visibility and transparency of your website components. Hence, you can use just-in-time notices to abide by this rule. Just-in-time notices instantly display short yet loaded snippets of details as the user enters their information in the form. It grants you the opportunity to share why you need the data and how you plan on using it.

 4. Minimise Data Collection

This strategy relies on the foundation of Privacy By Design and GDPR - collect and process the least amount of user data to minimize liability and possible impact on privacy in case of breaches. Data minimization can take place in two ways - by limiting the volume of collected data or reducing the population size from organizations source data. Thus, you could choose to select/exclude a section of users or collect only the critical data.

 5. Honor Confidentiality

To support your organization’s endeavour to be Privacy By Design compliant, you must focus on protecting confidentiality by restricting data observability. You can achieve it by limiting data access or sharing personal information only on a need to know basis. Additionally, you must also encrypt the data to prevent unauthorized access to data during transfer or in storage.

 6. Separate and Sort Data

Data separation and mixing are two of the smartest data protection techniques. You can use them as a buffer to minimize the risk resulting from a data breach. The former isolates data and stores it across the database to unlink it, while the latter groups together varied data types and subjects to remove any correlation. In either case, the independent data bits or consolidated chunks will obfuscate the intruder and prevent them from extracting useful information from it.

To automate creation of Data Mapping Sign Up here.

 7. Educate and Empower

Educating and empowering your users and maintaining transparency can be one of the best practices of data collection and usage. Make it a habit for your website to inform visitors on the kind of data being collected, the purpose of this data, and to what extent it may be shared with third parties. Such a measure also ensures compliance with Articles 13 and 14 of GDPR.

 8. Offer Control

In an age where businesses are proactive about privacy and customer-centricity, merely informing the visitor on their data rights is not enough. You must also offer them granular control over the data that they wish to share or curtail. Granting them the power to exercise consent, withdraw consent, update or retract information, and make choices will go hand-in-hand with the strategy to educate and empower.

 9. Enforce Compliance

To ensure regulatory compliance, organizations must have a well-defined, thoroughly documented privacy framework that is practically applicable. A privacy-centred work culture must motivate the management and all employees to actively participate in the creation, maintenance, and upholding of privacy.

 10. Demonstrate Respect for Privacy

Finally, there needs to be a mechanism to review the data and ascribe roles and responsibilities and fix accountability for how data is sourced and maintained. These authorities will record, audit, and report on the personal data processing systems and carry out a periodic evaluation for risk aversion and mitigation. In this manner, businesses can follow a well-documented process of Privacy by Design from scratch right up to the highest level.Source

Final Thoughts

According to a CISCO Consumer Privacy Survey (2019), 84% of the participants admitted to caring deeply about their data and want more control over how it is being used. Nearly half of these respondents also indicated that they would be willing to switch brands for more robust data protection and privacy policies. These statistics support the notion that privacy is not an after-thought. In fact, it must be the core motivator for introducing policy changes.

So, where does your organization stand in this aspect?

Posted by
Vaibhav Antil
Privacy Engineering
October 9, 2020

Vaibhav is the founder of and a CIPM certified privacy professional.

Get started with Privado

Thank you for subscribing, we have sent a confirmation email to your inbox.
Oops! Something went wrong while submitting the form.