Privacy by design is a methodology that helps organisations develop projects where privacy and data protection are accounted for from the start. Privacy by design is not a requirement of the Data Protection Act, but has been included in the GDPR specification (Article 23). Instead of incorporating data security measures as an after-thought, privacy and data sharing policies should be developed during the early stages of a project. Doing so will make is easier and cheaper to address potential security flaws. It will also increase staff members’ awareness to data protection issues, and make it easier for organisations to meet legal obligations.
In order to conform to the privacy by design methodology organisations may need to undertake a Privacy Impact Assessment (PIA). A PIA is used to identify potential privacy risks and helps organisations design efficient and effective processes for handling sensitive data. To determine whether or not a PIA is required, you will need to ask the following questions:
- Are you planning to collect new information about individuals?
- Are you collecting particularly sensitive data, such as health/criminal records?
- Are you likely to disclose this information to a third-party?
- Are you likely to use this information for purposes that are not directly related to the project’s purpose?
- Are you likely to use technology that may intrude on a user’s privacy (e.g. facial recognition, biometrics, etc.)?
- Are you likely to contact individuals in a way that may be deemed as intrusive?
Article 25 of the GDPR states that data controllers are required to acknowledge and adhere to the “privacy by design” methodology. They will be required to implement appropriate technical and procedural measures, both at the start of the project, and at the time of processing personal data. Such measures may include using pseudonymous data, giving users control over their data, and using Enhanced Privacy ID’s (EPIDs), which allow devices to authenticate themselves remotely and anonymously.
By default, the data controller will need to make sure that they are only processing information that is necessary and relevant to the intended functionality of the project. Likewise, privacy settings should be set to the highest level by default, and can only be relaxed based on user intervention.
Since each project will have a different scope and purpose, the GDPR must be flexible in the way it enforces “privacy by design”. However, since failure to comply with the GDPR can result in heavy fines, it is a good idea for organisations to conduct regular Privacy Impact Assessments (PIAs).
A framework for carrying out PIAs has been developed by the UK Information Commissioner’s Office (ICO), which outlines the best practices for identifying and minimising privacy risks. The Dutch Data Protection Authority (Dutch DPA), among others, have already endorsed such guidelines.
There are essentially 5 principles you will need to follow when designing a project using the “privacy by design” approach:
1. Ensure that data is processed fairly and lawfully.
2. Ensure that the data you are collecting is specific and relevant.
3. Ensure that the data you process is kept up to date.
4. Ensure that data is not held any longer than what is necessary.
5. Ensure that any territories or organisations you are transferring personal. data to have adequate data protection measures in place.