Updated: Nov 8, 2020
Complying with complex data privacy regulations requires organizations to be much more precise about information security. One increasingly popular way to achieve this is to incorporate privacy considerations directly into their technology, products, and system development from the outset.
"Privacy by Design is an approach to systems engineering initially developed by Ann Cavoukian and formalized in a joint report on privacy-enhancing technologies by a joint team of the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research in 1995. The Privacy by design framework was published in 2009 and adopted by the International Assembly of Privacy Commissioners and Data Protection Authorities in 2010. Privacy by Design calls for Privacy to be taken into account throughout the whole engineering process. The concept is an example of value-sensitive Design, i.e., to take human values into account in a well-defined manner throughout the whole process and may have been derived from this." (Wikipedia)
This article will explain how adopting the "Privacy by Design" Framework can strengthen your privacy compliance efforts.
What Is Privacy By Design
The privacy framework requires embedding Privacy into new technologies, products, IT systems, and services from as early as the design and development phases as a guiding principle. Of course, data classification levels need to have been defined so that all sensitive and applicable privacy-targeted data is known.
In this way, Privacy becomes not an add-on or an extra regulatory burden but rather an essential component in designing and developing new technologies and products, right from the beginning.
An excellent example of Privacy by Design is the Apple Safari Browser's cookie settings: It blocks personal data collection by third-party cookies automatically without requiring any active step by users.
Organizations are increasingly hard-pressed to develop alternatives that can be as effective as Privacy by Design to prevent a security breach or regulatory action. A counter-example is the US FTC's case against Facebook. In this case, Facebook made the 'friends' list' public by default and faced hefty fines. Had Facebook adopted the Privacy by Design approach, it would not have made such personal data public and avoided regulatory action.
Privacy by Design was already getting much press as a concept in both the legal and technology world by the late 1990s; it became more popular with GDPR because this new regulation went a step further and made Privacy by Design a legal obligation under article 25. GDPR requires organizations to adopt Privacy by Design and failure to do that may result in a fine as high as 4% of their turnover.
As for CCPA, while it does not impose the adoption of Privacy by design approach, implementing Privacy by Design can make compliance much easier for organizations concerning data subject rights and security requirements.
HIPAA Privacy is different and we will write about it soon. Just know that it is not as far-reaching as typical privacy laws.
The Principles Of Privacy By Design
Privacy by Design consists of seven foundational principles.
Proactive, not Reactive; Preventative not Remedial
Organizations should anticipate the potential privacy risks to personal data before they ever occur and take precautionary measures to prevent them from happening. In other words, privacy risks are identified before actually happening, and necessary technical and organizational measures to protect Privacy are implemented while designing new technologies or IT systems.
Privacy as the Default
The maximum level of privacy protection should be achieved by default, and there shall be no need for individuals to take active measures to protect their data.
The following practices are essential to implementing this principle successfully:
Purpose Specification: Your organization should clearly explain to individuals the specific and well-defined purposes for which you collect and process personal data.
Data Minimization: You should only collect and process personal data that is strictly necessary.
Retention limitation: Personal data should only be retained so long as necessary, and it should be destroyed when it becomes unnecessary.
Privacy Embedded into Design
Privacy is neither an add-on nor a regulatory burden that needs to be checked through compliance checklists. Privacy should be an essential part of the core functionality of the new technology, product, service, or IT systems' information security.
Full Functionality – Positive-Sum, not Zero-Sum
The Privacy by design approach rejects the premise that there is a trade-off between privacy and other interests such as security or other organizations' business interests. Privacy measures do not just serve individuals' interests, but it also creates positive benefits for organizations.
End-to-End Information Security – Lifecycle Protection
From collection to data classification levels to destruction, strong privacy protection measures should be in place to protect data; this is called 'cradle-to-grave data management. It ensures that data is collected, stored, used, transmitted, and destroyed in a privacy-friendly manner.
Visibility and Transparency
Privacy by Design assures that all parties involved adhere to the objectives and expressed promises, and independent parties should verify their actions.
Collection, sharing, using, and deleting personal data and your organization's policies for processing data must be documented and communicated to relevant individuals.
Respect for User Privacy
Engineers and operators of new technologies and products should keep the uppermost individual's interests by offering such measures firm privacy defaults, appropriate notice, and empowering user-friendly options.
Giving users greater control over the management of their personal data and creating user-friendly human-machine interfaces is crucial for a privacy-friendly approach.
How Privacy By Design Strengthens Compliance
Privacy Risks Are Identified And Solved More Easily
Taking a proactive approach to Privacy means that Privacy is already an essential component alongside the core functionalities of the product or technology in question.
With this proactive approach, engineers and designers will be able to foresee potential privacy risks beforehand and take necessary measures to eliminate them.
For instance, the core functions delivered via smart speakers include the ability to make calls, make google-search or set an appointment with a doctor. However, there is the inherent privacy risk that smart speakers may record voices and even sensitive information of third parties nearby while listening to commands. Furthermore, this data may even be sold to third parties and thus intensifying privacy risks. During the design phase of smart speakers, engineers using a Privacy by design approach would consider the risk to nearby people and implement measures to prevent collecting or worse, losing control of the data when selling it.
Even if no security breach occurs, unlawful collection or selling of personal data is still subject to regulatory action under GDPR and CCPA.
Privacy Impact On Personal Data Is Minimized
Privacy by Design minimizes the adverse impact on Privacy and thus strengthens compliance with privacy laws in the following ways:
First, it requires that the collection of personal data is limited to only what is needed to achieve a particular purpose. (data minimization principle) Organizations should collect personal data from as few subjects as possible and as little as possible to achieve their business objectives.
Adopting data minimization principle means that less data is collected from fewer individuals and potential impact of a security breach will also minimal.
Data minimization is already an obligation under article 5 of GDPR. While CCPA does not impose data minimization directly, implementing data minimization under Privacy by design framework will help organizations satisfy other requirements under CCPA such as using data only for particular purposes. HIPAA Privacy is more relaxed.
Second, Privacy by default means that maximum level of Privacy is already provided without relying on a user's active involvement. The majority of people never bother with changing their privacy settings so if you are not compliant with privacy regulations by default, you risk facing fines - high ones at that.
For example, even if the user does nothing for deletion of personal data, you should not keep it longer than necessary by default. A German Real Estate Company was recently fined with 14.5 million euros under GDPR for retaining historical data such as payslips longer than necessary.
Higher Security Measures Reduce The Risk Of A Security Breach
'Cradle-to-grave data security' principle embraced by the Privacy by Design framework requires that personal data is secured against privacy risks both at rest and in transit and from collection to destruction of data. There are a few safeguards that can be used to achieve end-to-end security as set forth by PBD.
Firstly, putting in place a 'need to know' policy to restrict people who will have access to data may save you from unauthorized access and reckless disclosure of data recklessly by your personnel.
Another safeguard is to encrypt personal data you have so that it is unintelligible to malicious parties who obtained it unlawfully. Encryption keeps the content of data secure throughout the lifecycle of data, from storing it on servers to transferring it over networks.
Applying these methods to ensure end-to-end security will help you comply with both US and EU data privacy laws.
Under CCPA, an individual cannot sue for damages if the breached data is encrypted. Under HIPAA privacy rules, encrypting health information is necessary when it is transferred outside safe firewalls. Furthermore, encryption saves you from the obligation to inform patients of a data breach if the data is encrypted.
GDPR article 32 explicitly refers to encryption and pseudonymization as among the methods to comply with security requirements. Failure to comply with article 32 is subject to fines (2% global turnover).
Data Subject Rights Are Respected As Required By Laws
New regulations such as California's CCPA and EU's GDPR gave individuals more control by introducing new rights.
Under GDPR, individuals are given the right to access their data, the right to be informed, the right to delete their data, and the right to data portability. Likewise, CCPA introduced similar data subject rights. The 'Respect for Privacy' principle calls for more control by individuals and making the exercise of privacy rights more user-friendly.
It streamlines compliance with the exercise of those rights in following ways:
Consent: Individuals' freely given consent is the most unambiguous way to justify the collection, use, and deletion of personal information and it gives the maximum amount of control to individuals. Consent is easy to document and prove to demonstrate compliance.
CCPA requires consent for selling personal data under certain cases.
Similarly, GDPR set forth that affirmative consent of individuals is a lawful ground to collect and share personal data and it is simpler than relying on other grounds such as legitimate interests or contractual necessity. HIPAA privacy does not require consent in a lot of scenarios.
Access: By having complete information about the collection and use of their information, individuals can exercise their right to rectify inaccurate or false records or request the deletion of their data.
Creating a user-centric and easy-to-use machine-human interface is critical to ensure that you comply with relevant laws. If it takes individuals to take ten steps to access the relevant information about how their data is processed, your risk of non-compliance increases.
Google has been slapped with 50 million Euros fine under GDPR because individuals had to take six actions before they can find out about 'targeted ads'.
CCPA also mandates that your privacy policies must explicitly explain opt-out rights of individuals such as right to opt-out of sale of data.
User-centric Design: When designing new technologies or websites, you should give utmost priority to individual Privacy and avoid applying manipulation tactics to obtain consent to collect or sell data.
The user-centric approach encourages ethical considerations in human-machine interfaces and this is also helpful in complying with privacy laws.
The easier it is for individuals to exercise their rights, the more likely an organization is to comply with privacy laws. Under CCPA, businesses must have a 'do not sell my information' page and their homepage must give a link to this page. If your website is too complicated to find this link, you may risk violating CCPA and face fines.
Incorporating Privacy into the Design of new technologies and products is not an easy task but the rewards outweigh the effort: Privacy by Design is a shield that can help strengthen your compliance efforts with privacy laws. And considering the alternatives, if implemented well, it could be the easiest way of ensuring compliance after all.