Privacy by design and by default means that data protection is taken into account from the design stage throughout the lifecycle of data processing. But what does it actually mean and how can the concept be built into operational processes?
What does it mean?
Privacy by design is about implementing the data protection principles into all doings involving personal data. If an organization takes the data protection principles into account across new and existing processes, products and systems that involve processing of personal data, it is unlikely that things could go wrong. This is the foundation for building privacy-friendly practices and solutions.
Here is a reminder of the six data protection principles:
The first step is to ensure that the purposes for processing are lawful and that persons can expect it by providing them with transparent information, for example by privacy notices upon collection of personal data. This is the principle of lawfulness, fairness, and transparency.
Upon design phase, it should be ensured that personal data can only be processed for the purpose it was collected for and which the person knows about. This is the principle of purpose specification.
In addition to the clearly defined purpose, it is also important to ensure that only necessary data will be collected. This is the principle of data minimization.
When personal data is being processed, it needs to be kept accurate and up to date. This is the principle of accuracy.
When planning new data processing, it needs to have a defined retention period to ensure that personal data is only kept as long as required. This is the principle of storage limitation.
At all phases, personal data needs to be protected and security controls implemented accordingly. This is the principle of confidentiality and security.
It may be helpful to understand that the data protection law does not often provide direct answers whether something is legal or not – the starting point is to balance the processing against the data protection principles, which can cause a headache if there aren’t clearly defined privacy by design approaches built into the operational processes.
How to ensure that the data protection principles are considered at a right time?
In order to ensure that privacy by design is built into operational processes, it is important to understand that it requires cooperation between different organizational functions and specialists, alongside top-level commitment. Privacy by design is not a one-off exercise but the principles need to be implemented throughout the lifecycle of personal data, which ultimately requires privacy thinking in different stages of new solutions, from planning to actual execution.
The processes and awareness around data protection principles need to be built into all of the following phases:
In the planning phase, it is important that the project owners make sure that data protection is considered when starting to plan new activities that involve personal data, as well as involve other stakeholders, such as privacy professionals, technical and legal support, as required. This also involves identifying potential data protection risks and mitigations with the planned activity and having an effective risk management process to support the decision-making.
In the design phase, the data protection principles need to be built into the actual development of the solution, to ensure that the end-product is privacy-friendly and meets the requirements that have been identified.
If there are procurement needs, it is essential that data protection requirements are defined for vendors, including processes to ensure that they are also upheld during the contract period.
If updates or changes are needed, it is important that the privacy requirements go hand-in-hand with the product or service developments.
Throughout the lifecycle, the decisions concerning data protection need to be documented to evidence accountability. This means that the way in which the data protection principles are actually built into the processes and products are recorded.
Especially, when it comes to technological developments, there is a clear role for data protection and importance in principle-based thinking. Most new and fast-evolving technologies are utilizing personal data more than ever before. Building privacy-friendly products and services from the beginning is the responsible, and often more cost-effective, way to do things, but also an ethical commitment towards customers.
To effectively embed the data protection principles into practice, it requires an understanding of the importance of privacy across all levels of the organization, clear definitions of the roles and responsibilities when it comes to making data protection related decision-making, and training and awareness of what is expected of each step of the process. Therefore, now is the time to ensure that the organization has a privacy-friendly culture built into practice.
How can we help?
Our legal and technical privacy experts help clients to achieve data protection compliance and to make informed decisions when it comes to privacy and protection of personal data. The team is backed up by a multi-skilled team of cybersecurity and technology specialists.
Our privacy consultants provide tailored services to achieve compliance, for example, by providing an overview of privacy implementation and recommended actions to achieve compliance to more targeted assignments, such as assessing data protection risks in processing activities or information systems, and advising with privacy-related policies, agreements, and governance. Our privacy specialists can also help you to run your privacy program development and privacy management capabilities as continuous support services.
If you'd like to know more about our privacy support services, you can find information on the Compliance and Certification page. You can reach Merikukka and Nixu's other privacy experts by email through nixu.sales [at] nixu.com or through the contact form at the top of this blog post.