Following on from our overview on the Future of Data Protection in Europe this post will focus on Privacy by Design, and specifically why it is enjoying somewhat of a revival of late.
It is of particular relevance to organisations that will be processing large volumes of personal data. The draft General Data Protection Regulation, imposes some significant obligations that will require organisations to embrace privacy by design in their day to day operations.
Privacy by design is not a new concept; it originated as long ago as 1995 from a joint report on Privacy Enhancing Technologies by Dutch and Canadian regulators. At the time it was developed to address what the former Information and Privacy Commissioner of Ontario, Dr Ann Cavoukian, viewed as the ever-growing and systemic effects of Information and Communication Technologies, and of large–scale networked data systems. It is important to remember that this was the same time that the current European Data Protection Directive was agreed, and at that time taking a strong regulatory stance was viewed as the best option to protect personal data. As discussed in our last post, we live in a very different world to 1995 and it appears that the Dr Cavoukian was ahead of her time. Edward Snowden’s revelations have brought privacy by design back to the centre of the data protection world, especially for those involved in SaaS and cloud services.
What is privacy by design?
Privacy by design is essentially an approach to projects that considers privacy and data protection from the outset. Privacy by design is based around 7 foundational principles:
- Being proactive, not reactive
- Having privacy as the default setting
- Having privacy embedded into the design
- Accommodates all legitimate interests (e.g. avoids the pretence of false dichotomies, such as privacy vs. security, demonstrating that it is possible to have both)
- Providing full lifecycle protection of data
- Visibility and transparency
- Respect for user privacy
The main objectives of a privacy by design approach are to ensure privacy, enable individuals to gain control over their personal data and enable organisations to gain a competitive advantage.
Why are organisations using privacy by design?
The increased financial penalties proposed in the draft European General Data Protection Regulation, combined with the fact that the Regulation will apply to all organisations providing goods and services to European citizens, means that privacy by design will be crucial to ensure compliance. The draft Regulation also includes an express requirement for data protection by design. Unlike the current legislation, which only places obligations on data controllers, the new Regulation will place express obligations on data processors for the first time. This means that privacy by design will be of particular importance to cloud and SaaS providers who do not actually know what personal data they are processing.
What should we do next?
Prior to commencing any projects all organisations should carry out a Privacy Impact Assessment, which will enable you to identify and reduce the privacy risks of your project.
Privacy Impact Assessments need to be quite flexible as your approach will vary from project to project. However, there are some key points that you should always consider, including identifying the privacy risks, describing the information flows and identifying and evaluating privacy solutions. It is essential to involve all the relevant stakeholders from the outset so that everyone is involved in the process. Where possible privacy impact assessments should be integrated into your existing project management processes as an essential starting point to privacy by design. Following the privacy impact assessment organisations will need to use technical and organisational measures, such as encryption, to protect personal data and to ensure that, by default, only a minimum amount of personal data is processed.
If an organisation can establish a privacy by design approach from the outset or at an early stage in the organisations existence this will prove extremely beneficial to the organisation from both a compliance and growth perspective. A good privacy by design approach will assist organisations in meeting their legislative obligations by identifying potential problems from an early stage. This will mean that any remedial actions are less likely to be intrusive and it will build confidence in an organisation’s approach to data protection.
This post was produced in partnership with Christopher Coughlan at Ashfords.