While the new EU General Data Protection Regulation (GDPR) might only make a recommendation for privacy by design, there are no limiting factors when it comes to privacy by default on the other hand, as it is included as an obligation.
Privacy as the default setting
Privacy as the default setting is actually one of the seven foundational principles of privacy by design and it requires personal data to be automatically protected by IT systems without any further action required by an individual.
For example, when an individual creates a social media profile, privacy settings should, by default, be set on the most privacy-friendly setting. Setting up profiles to be public by default is no longer allowed under the GDPR. As you can imagine, this poses big questions for digital giants like Facebook and co, but also for smaller companies it requires a lot of changes.
Article 25 of the GDPR also expands on the principle to require that data controllers implement appropriate technical and organisational measures to ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed. This means that business, by default, should only process personal data to the extent necessary for their intended purposes and should not store it for longer than is necessary for these purposes.
This brings us to a measure known as data minimisation, which is referenced in five separate sections in the GDPR. In fact, it is impossible to be GDPR-compliant without implementing data minimisation rules and processes at every step in the data lifecycle. Data minimisation is where a data controller limits personal data collection, storage, and usage to data that is relevant, adequate, and absolutely necessary for carrying out the purpose for which the data is processed.
So in effect, a driving app should only require access to your location data for the time necessary to provide you the navigation information requested. This driving app does not need access to other personal data such as your age, gender, car make and model, to provide you that service. The driving app should not also, by default, track your location at all times, even when you are not using the app.
In short, privacy intrusive features of a certain product or service are initially limited to what is necessary for the simple use of it, and the data subject should in principle be left the choice to allow use of his or her personal data in a broader way.
Always inform your users
In order to stay in line with GDPR guidelines, customers should be given clear privacy and data sharing notices that explain everything that your business is doing with personal information. They should also be periodically reminded to review and refresh privacy settings. It’s also wise to regularly review user accounts and delete the data of old users who have closed/inactive accounts.