The European General Data Protection Regulation (GDPR) has been enforced since 25 May 2018 and applied to organizations across the world. In a data-driven society where analysing and understanding data is a competitive advantage for companies, GDPR serves as a legal safeguard to protect the privacy of all European citizens.
The “Privacy by Design” framework is one of the key concepts of this regulation and was developed by former Information and Privacy Commissioner of Ontario (Canada), Ann Cavoukian, in the 90s. She proposed a model that can be seen as almost medical, which would favour preventing privacy “diseases” over curing them.
Five years after E. Snowden’s surveillance disclosures about the NSA’s wiretapping, companies are more than willing to embrace this concept to regain customer trust. But is the concept of “Privacy by Design” as limpid as it seems?
“Privacy by Design”, 7 principles
The “Privacy by Design” framework is introduced in article 25 of GDPR: companies should design every project in such a way that they ensure personal data privacy. If a project is “designed by privacy”, then the risk attached (data breach) to any personal data will become very low. To appreciate its scope in the best possible way, this concept relies on 7 principles:
Proactive, not Reactive; Preventative, not Remedial
By anticipating, companies should be able to ensure the highest level of privacy for every action that will collect, process or destroy personal data. In this way, they will also ensure a high level of security.
Privacy as the Default
Individuals are automatically protected. They do not have to ask or carry out any action to ensure they and their personal data are private and protected.
Privacy Embedded into Design
A product should be designed to respect the privacy of personal data that it will process. Ways of ensuring privacy for personal data are fully integrated at the beginning of the creation process for a new project, product or service.
Full Functionality — Positive-Sum, not Zero-Sum
The goal is to build a balanced relationship where users and companies benefit from the situation (win-win model). It is possible to create this situation with a high level of privacy and security where no parties will suffer any loss.
End-to-End Security — Lifecycle Protection
Personal data should be highly protected during its entire life cycle. Each action that collects, processes and even destroys the data should ensure the highest level of security for individuals.
Visibility and Transparency
A user should be able to verify their data, how it is stored, processed and secured. Thanks to this, trust between the user and the company should be strengthened.
Respect for User Privacy
In a user-centric approach, the companies’ first concern should be to protect the users’ personal data as much as possible.
All these principles should be applied to companies, according to their purposes of processing personal data.
GDPR briefly presents some measures that can lead to implementation of the “Privacy by Design” concept into businesses. Here are some examples:
- Data Minimization (article 5), the concept of collecting only the data that is needed
- Pseudonymisation (article 25), the technique that replaces the identifying fields of personal data collected to ensure that a user cannot be identified by an external individual
- GDPR also establishes specific deadlines for the conservation of personal data depending on its type
A floating implementation
Nevertheless, the instructions presented in GDPR are not sufficiently detailed and cannot be simply applied. Even if companies apply these measures, it will not be enough to consider a project as compliant.
The concept of privacy by design is not a checklist that can be ticked quickly and easily. There is no handbook or detailed process to follow.
For R. Jason Cronk, Author of “Strategic Privacy by Design” and Privacy and Trust Consultant, there is an explanation behind this vagueness: “Unfortunately, part of the strength of her 7 Foundational Principles of Privacy by Design are also their weakness. She (editor’s note: Ann Cavoukian) purposefully made them robust and flexible to allow organizations to find their own methods to achieve them. However, privacy by design has remained frustratingly vague – its flexibility might be a virtue in some respects, but it is a curse in other respects.”
A case-by-case application
Privacy by design is a concept that must be applied case-by-case. Organisations should study and apply measures to comply, according to their use of personal data. In this case-by-case application, companies can sometimes feel “overwhelmed” and willing to turn to a qualified third-party if they have the financial means or they can count on their personal search or on associations (i.e. the AFCDP in France) where they can share their experience and practices with other companies. In France, the CNIL provides a guide for SMEs, to lead them up to a GDPR compliance.
The concept therefore remains vague and difficult to apply for companies. But if they have the opportunity to work with a qualified third-party or already have the structure to find a way to apply it properly, they have an incontestable asset.
The DPO, the weakest link?
The challenge can also be human. Indeed, applying this concept during the creation process of a project that aims to process personal data implies an organizational effort at all levels. “Privacy by design” should be the first and not second thought for every service implicated, at their respective level, in order to ensure that Data Protection Officers or relays are designated at key point services whose role it is to verify and advise the company on how to collect, process and store personal data to comply with the GDPR. Being compliant with GDPR is an ongoing process in the life cycle of a project and the DPO follows the evolution of the project and the legislation. The designated DPOs must be, above all, motivated. They oversee the application of GDPR in the activity of their service and its relay.
If one of the DPOs or relays does not feel concerned enough by applying it, then the creation process designed by privacy is weakened. When a relay is not applying it properly at their level, then there is a certain risk that some data is not processed properly according to GDPR.
One of the DPO’s main tasks is to advise his company. In order to advise it in a better way, the DPO should develop and “grow” a legislative culture around the regulations in force. A DPO should be curious and interested in the subject. If the DPO does not care enough about his responsibilities, the company will suffer because of this lack of knowledge.
Implementation and awareness are keys
“Privacy by Design” may be easy to understand but companies that try to apply it may feel like they are walking on eggshells. Because it is in the experimental stage, it remains hard to know where to begin but over time the best practices will emerge from this experience and will lead to a simple implementation.
Also, raising awareness is necessary and essential for ideal application. Malakoff Médéric’s DPO, Johanna Carvais-Palut, explains that in her company DPOs receive a formation from the CNIL, a monthly informative newsletter on the legal evolution and participate in monthly meetings.
Today, “Privacy by Design” is essential to ensure the life privacy for all individual but it is up to companies to make sure it happens, thanks to the resources they will gather.
- Interview with Ann Cavoukian – Onalytica – March 2, 2018
- Strategic Privacy by Design: An Interview with Jason Cronk – TeachPrivacy – August 16, 2018 https://teachprivacy.com/strategic-privacy-by-design/
- Mode d’emploi du privacy by design pour le RGPD – fr – Septembre 06, 2018 (french)
- 5 and 25 articles GDPR – Intersoft Consulting