Mar 13

What is privacy by design and why does it matter for new EU data rules?

What is privacy by design and why does it matter for new EU data rules?

The new EU General Data Protection Regulation (GDPR), which goes into force on 25 May 2018, advises data controllers to build data protection safeguards into their products and services from the earliest stages of development. It is a well known concept in systems engineering called privacy by design, and despite only being a recommendation it could make all the difference in complying with GDPR.

The approach centers around making privacy a key consideration when building new IT systems for storing or accessing personal data, embarking on a data sharing initiative, or using data for new purposes. And it has numerous benefits, not least helping you to comply with the GDPR, but also enabling you to identify potential privacy issues earlier and address them in a cost-effective way.

The 7 Foundational Principles

The Information & Privacy Commissioner of Ontario (IPC) has taken a leading role in developing the Privacy by Design concept, establishing seven foundational principles of privacy by design.

  1. Proactive not reactive, preventative not remedial
    Privacy by design anticipates and prevents privacy invasive events before they happen. It does not wait for privacy risks to materialise but aims to prevent them occurring.

  2. Privacy as the default setting
    Personal data is automatically protected by IT systems. No action is required by an individual to protect their privacy as it is built into the system.

  3. Privacy embedded into design
    Privacy should be an essential component of the core functionality being delivered, not bolted on as an add-on.

  4. Full functionality (positive-sum, not zero-sum)
    Privacy by design avoids zero-sum approach where trade-offs are made but aims to deliver all interests in a win-win manner, ie. security and privacy in the same system.

  5. End-to-end security
    Ensures all data is securely retained, and then securely destroyed at the end of the process, in a cradle to grave, secure lifecycle management of information.

  6. Visibility and transparency
    Processes and operations visible and transparent to users and providers, giving reassurance that data is being treated in compliance with stated promises and objectives.

  7. Respect user privacy – keep it user-centric
    Design user-centric systems and processes with privacy defaults, appropriate notice and user-friendly options. Privacy Impact Assessment

An integral part of the Privacy by Design approach is a Privacy Impact Assessment (PIA). PIAs are a tool to identify and reduce the privacy risks of your projects, and they can also help you to design more efficient and effective processes for handling personal data.

PIAs are often applied to new projects, because this allows greater scope for influencing how the project will be implemented. But they can also be useful during changes of an existing system, or a review of an existing system - but the organisation needs to ensure that there is a realistic opportunity for the process to implement necessary changes to the system.

A PIA should incorporate the following steps:

To find out what your company has to do specifically to be GDPR compliant by 25 May, get in touch with us at WAAT. Take our GDPR compliance checker as part of a Privacy Impact Assessment to inspect your data systems, identify privacy risks and evaluate the solutions.

Web Architecture
and Technologies Ltd
Better Space, 127 Farringdon Road
London EC1R 3DA, United Kingdom
VAT Number GB100609172
WAAT Switzerland GmbH
Bernoullistrasse 20, CH-4056 Basel
WAAT Poland Sp. z o.o.
Telewizyjna 48, 01-492 Warszawa
Due to a high number of spam calls please contact us via email only
Send us a message

Follow us
  • Facebook
  • Linkedin
  • Twitter