The new EU General Data Protection Regulation (GDPR), which goes into force on 25 May 2018, advises data controllers to build data protection safeguards into their products and services from the earliest stages of development. It is a well known concept in systems engineering called privacy by design, and despite only being a recommendation it could make all the difference in complying with GDPR.
The approach centers around making privacy a key consideration when building new IT systems for storing or accessing personal data, embarking on a data sharing initiative, or using data for new purposes. And it has numerous benefits, not least helping you to comply with the GDPR, but also enabling you to identify potential privacy issues earlier and address them in a cost-effective way.
The 7 Foundational Principles
The Information & Privacy Commissioner of Ontario (IPC) has taken a leading role in developing the Privacy by Design concept, establishing seven foundational principles of privacy by design.
1. Proactive not reactive, preventative not remedial
Privacy by design anticipates and prevents privacy invasive events before they happen. It does not wait for privacy risks to materialise but aims to prevent them occurring.
2. Privacy as the default setting
Personal data is automatically protected by IT systems. No action is required by an individual to protect their privacy as it is built into the system.
3. Privacy embedded into design
Privacy should be an essential component of the core functionality being delivered, not bolted on as an add-on.
4. Full functionality (positive-sum, not zero-sum)
Privacy by design avoids zero-sum approach where trade-offs are made but aims to deliver all interests in a win-win manner, ie. security and privacy in the same system.
5. End-to-end security
Ensures all data is securely retained, and then securely destroyed at the end of the process, in a cradle to grave, secure lifecycle management of information.
6. Visibility and transparency
Processes and operations visible and transparent to users and providers, giving reassurance that data is being treated in compliance with stated promises and objectives.
7. Respect user privacy – keep it user-centric
Design user-centric systems and processes with privacy defaults, appropriate notice and user-friendly options.
Privacy Impact Assessment
An integral part of the Privacy by Design approach is a Privacy Impact Assessment (PIA). PIAs are a tool to identify and reduce the privacy risks of your projects, and they can also help you to design more efficient and effective processes for handling personal data.
PIAs are often applied to new projects, because this allows greater scope for influencing how the project will be implemented. But they can also be useful during changes of an existing system, or a review of an existing system - but the organisation needs to ensure that there is a realistic opportunity for the process to implement necessary changes to the system.
A PIA should incorporate the following steps:
- Identify the need for a PIA
- Describe the information flows
- Identify the privacy and related risks
- Identify and evaluate the privacy solutions
- Sign off and record the PIA outcomes
- Integrate the outcomes into the project plan
- Consult with internal and external stakeholders as needed throughout the process
To find out what your company has to do specifically to be GDPR compliant by 25 May, get in touch with us at WAAT. Take our GDPR compliance checker as part of a Privacy Impact Assessment to inspect your data systems, identify privacy risks and evaluate the solutions.