The new EU General Data Protection Regulation (GDPR), which goes into force on 25 May 2018, advises data controllers to build data protection safeguards into their products and services from the earliest stages of development. It is a well known concept in systems engineering called privacy by design, and despite only being a recommendation it could make all the difference in complying with GDPR.

The approach centers around making privacy a key consideration when building new IT systems for storing or accessing personal data, embarking on a data sharing initiative, or using data for new purposes. And it has numerous benefits, not least helping you to comply with the GDPR, but also enabling you to identify potential privacy issues earlier and address them in a cost-effective way.

The 7 Foundational Principles

The Information & Privacy Commissioner of Ontario (IPC) has taken a leading role in developing the Privacy by Design concept, establishing seven foundational principles of privacy by design.

1. Proactive not reactive, preventative not remedial
   Privacy by design anticipates and prevents privacy invasive events before they happen. It does not wait for privacy risks to materialise but aims to prevent them occurring.

2. Privacy as the default setting
   Personal data is automatically protected by IT systems. No action is required by an individual to protect their privacy as it is built into the system.

3. Privacy embedded into design
   Privacy should be an essential component of the core functionality being delivered, not bolted on as an add-on.

4. Full functionality (positive-sum, not zero-sum)
   Privacy by design avoids zero-sum approach where trade-offs are made but aims to deliver all interests in a win-win manner, ie. security and privacy in the same system.

5. End-to-end security
   Ensures all data is securely retained, and then securely destroyed at the end of the process, in a cradle to grave, secure lifecycle management of information.

6. Visibility and transparency
   Processes and operations visible and transparent to users and providers, giving reassurance that data is being treated in compliance with stated promises and objectives.

7. Respect user privacy – keep it user-centric
   Design user-centric systems and processes with privacy defaults, appropriate notice and user-friendly options. Privacy Impact Assessment

An integral part of the Privacy by Design approach is a Privacy Impact Assessment (PIA). PIAs are a tool to identify and reduce the privacy risks of your projects, and they can also help you to design more efficient and effective processes for handling personal data.

PIAs are often applied to new projects, because this allows greater scope for influencing how the project will be implemented. But they can also be useful during changes of an existing system, or a review of an existing system - but the organisation needs to ensure that there is a realistic opportunity for the process to implement necessary changes to the system.

A PIA should incorporate the following steps:

To find out what your company has to do specifically to be GDPR compliant by 25 May, get in touch with us at WAAT. Take our GDPR compliance checker as part of a Privacy Impact Assessment to inspect your data systems, identify privacy risks and evaluate the solutions.