How, exactly, can privacy be designed? Companies concerned about Europe’s General Data Protection Regulation (GDPR) may or may not have already considered the curious concept of “privacy by design and privacy by default” — but consider it, they must. While it’s hardly the most charming regulatory text ever written, it’s implications are vast, and understanding it properly saves startups considerable time and money (and headaches) if they begin implementing a few key privacy procedures while they are still at earlier stages of product and procedural development. The legal nuts and bolts can be found in Article 25 of the GDPR, with this excerpt below clarifying the main requirements:
“In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimizing the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.” (Recital 78)
Simply put, the GDPR expects companies and other organizations to implement technical and organizational measures at their earliest stages of design and at the earliest stages of their operations. They need to do this in a way that safeguards privacy and data protection principles right from the start (“data protection by design”). Such requirements are also, quite frankly, simple due diligence in the world of reliable data management. So, how does one actually “design” data protection for data subjects?
What is Privacy by Design?
Privacy by design is not a new concept. It is the philosophy proposed by Dr. Ann Cavoukian, the Information and Privacy Commissioner of Ontario in the 1990s. Ann Cavoukian is widely recognized as the primary creator of the privacy by design concept. She defines it as an approach to technology design that embeds privacy-enhancing measures into technology at the point of design and production, and sells to technology to consumers with strong default privacy settings. The foundational principles of “Privacy by Design” as suggested by Ann Cavoukian are:
- Privacy by design is proactive, not reactive; it is preventative, not remedial. Privacy by design anticipates and protects privacy against negative and invasive effects of new products and technologies before they happen.
- Privacy by design ensures privacy as the default, which means that personal data are automatically protected in any given IT system. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.
- Privacy by design means that privacy is embedded into the design and the architecture of the IT system. It is not bolted on, after-the-fact. The result is that privacy becomes an essential component of the core functionality that is being delivered.
- Privacy by design permits full functionality. When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired, and to the greatest extent possible, that all requirements are optimized.
- Privacy by design extends securely throughout the entire lifecycle of the data involved. Strong security measures are essential to privacy, from start to finish. Privacy must be continuously protected across the entire domain and throughout the life-cycle of the data in question. There should be no gaps in either protection or accountability. The “Security” principle has special relevance here because, at its essence, without strong security, there can be no privacy.
- Privacy by design seeks to assure visibility and transparency, as they are essential to establishing accountability and trust.
- Privacy by design is consciously designed around the interests and needs of individual users, who have the greatest vested interest in the management of their own personal data. The architects should keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric!
After the GDPR came into force on May 25th, 2018 many companies became tempted to regard the regulation as a compliance burden. However, GDPR is about reputation and not just regulation. The benefits of meeting the requirement for data protection by design, which is essentially the GDPR’s version of “privacy by design” go far beyond any legal compliance. Also, as stated earlier, much of it is standard housekeeping if you are already a company that prioritizes data security.
New Consumer Privacy Expectations
Studies have shown that data privacy is a consideration steadily more expected by the consumers. According to a survey conducted online by The Harris Poll on behalf of IBM between March 20-26th, 2018, 78% of U.S. respondents say that a company’s ability to keep their data private is “extremely important” and only 20% “completely trust” organizations they interact with to maintain the privacy of their data. This suggests that privacy breaches not only have significant financial implications but can also cause reputational damage. If consumers do not feel that their privacy is being protected, they will seek out other means of ensuring their privacy.
Embracing privacy from the design phase enables companies to protect customers’ data and enhance their business reputation. It enables trusted, long-term relationships with the existing customers and the opportunity to attract new ones. Irrespective of whether they are affected by the regulatory framework itself, companies should make privacy an integral part of their DNA and their offering for their existence and for their customers’ well being. This is good news for those working in any sector, including IoT (Internet of Things), machine learning, and blockchain.
The reality—that brand reputation and consumer trust are inextricably linked—is especially true in the IoT context. According to one estimate, the total number of connected IoT sensors and devices is set to exceed 50 billion by 2022, up from an estimated 21 billion in 2018. Consumers (or as the GDPR calls them, “data subjects”) want organizations to give them more control over their personal information as the Internet of Things (IoT) grows, and connected devices harvest even more of their data, according to research from the Economic Intelligence Unit (EIU). As more devices, platforms, and infrastructure connect to the Internet in real-time, the most successful industry participants will be those that regard Privacy by Design as an opportunity to demonstrate that they are worthy of consumers’ trust.
A recent report by O’Reilly outlines the current state of machine learning adoption in the enterprise and reveals that in order to keep pace with developing privacy needs, machine learning needs to evolve. “With the EU’s recent General Data Protection Regulation mandates, more companies will begin to implement privacy safeguards into their machine learning practices”, says the report. It further reveals that the GDPR pushes for “privacy by design,” and that more businesses are taking interest in privacy-preserving analytic methods. These methods include techniques like differential privacy, homomorphic encryption, federated learning, and more.
Such privacy-preserving applications not only help companies become GDPR complaint but also allow users to benefit from the security of blockchain, among other technologies. It’s worth noting that the popularity of new decentralized networks comes in large part from the expectation that they offer a means of protecting one’s identity. Ultimately, whatever the technology, taking early action to preserve personal privacy is a winner for both the parties, the companies and the users. The sooner you start, the easier it will be.
For more insights, follow TechGDPR on Twitter.