Personal data are being processed in most of the current software solutions which, in a growing number of situations, makes these subject to the EU General Data Protection Regulation (GDPR). However, in corporate practice the concept of privacy by design is often hindered by the absence of adequate data security measures. While privacy by design requires additional steps in the software design and development phases, these result in improved data protection and better GDPR compliance in the solutions and the application of these.
What Privacy by Design Means
Privacy by design (PbD) is a concept by the EU General Data Protection Regulation (GDPR), which prescribes the consideration and implementation of data privacy already in the technical design phase of products and services. According to Art. 25, para. 1, GDPR, the controller must take suitable technical and organisational measures (TOM) as soon as the resources for a software project are allocated. The law does not specify the exact design of these measures but gives the example of pseudonymisation. Encryption and anonymisation of the personal data should constitute suitable measures as well, to the extent that satisfactory levels of anonymisation, pseudonymisation and encryption can be achieved. Furthermore, companies can consider user authentication, the technical implementation of the right of objection, and standards, like the International Organization for Standardization (ISO) norms that are adopted by more than 160 national standards bodies world-wide . In general, the measures must be appropriate with regard to “the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing” (Art. 25, para. 1, GDPR). This wording implies that multiple measures may be needed to comply with the Regulation and guarantee sufficient privacy and safety. In contrast, privacy by default is the obligation to design GDPR compliant factory settings in order to protect uninformed or inexperienced users (see Art. 25, para. 2, GDPR).
How Privacy by Design Must be Implemented
The European Data Protection Board (EDPB), on 20 October 2020, adopted guidelines that grant guidance on the obligation pertaining to data protection by design and by default.
The following constitutes a summary of the non-exhaustive list of key implementation principles to achieve data protection by design and by default:
Transparency about how the personal data is collected, used, and shared has to be demonstrated clearly and openly to the data subject. Elements for this principle may include adjusting language and semantics, relevance and context as well as accessibility and multi-channel information.
Lawfulness requires that there must be a valid legal basis for the processing of personal data. The controller must make sure that the whole process complies with the legal regulations for personal data processing. Fundamental elements include specified purpose, necessity and consent. This requires training for the software engineers on the legal intricacies, or solid external professional support.
The principle of fairness is deemed as overarching, requiring that personal data not be processed “unjustifiably detrimental, unlawfully discriminatory, unexpected or misleading” vis-à-vis the data subject. Here, key elements include non-discrimination, non-exploitation, consumer choice and fair algorithms.
Because the purpose of the processing must be specifically determined (purpose limitation), the software design needs to be shaped by what is necessary to achieve this purpose – not more. For any purpose that was not explicitly specified, the compatibility with the original purpose needs to be assessed. Important aspects in the design are the predetermination of the purpose before the project start, specificity, technical limitations of re-use as well as regular reviews.
Data minimisation means that only personal data that is necessary for the purpose may be collected and processed. The designers constantly need to assess whether the data is needed or whether it can be deleted or anonymised – or whether the processing of personal data is required at all. The point of time at which identification is needed should be assessed and the data flow should be designed efficiently enough to avoid multiple copies for data collection, if not necessary. Primary elements here may include access limitation, necessity, anonymisation and deletion as well as state of the art technologies.
Accuracy requires false data to be erased or rectified without delay. Therefore, data sources must be reliable, the data must be kept up-to-date, and the data design should mitigate the effect of accumulated errors. It can be helpful to measure the accuracy and to verify the data with the data subject him-/ herself. Key elements include measurable accuracy, erasure or rectification, continued accuracy and data design.
The data may only be stored as long it is needed to fulfil the purpose of the processing (storage limitation). Thus, it is necessary that the controller is aware of all personal data that is being processed and the reasons for such processing. Clear deletion processes, predefined storage criteria and automation are the first steps to ensure this limitation. Fundamental elements include deletion and anonymisation and the effectiveness thereof, automation of deletion, the implementation of retention policies and data flow.
Data security must be guaranteed by integrity and confidentiality. This way data breaches are likely to be avoided and the processing tasks can be executed properly. Key elements pertaining to this principle include information security management systems (ISMSs), risk analysis, access control management and security by design.
The controller is obliged to show accountability by exhibiting manifest compliance with every one of the above principles. In practice, this means that the controller may have to show the impact of data protection measures on the rights of data subjects and to what extent such measures are appropriate and effective. This principle requires the controller to know and duly apply data protection measures and processes as per the GDPR.
While the above principles are neither exhaustive nor binding, they are of great value for digital designers and developers to duly uphold privacy by design as prescribed and regulated in the GDPR.
What We Think About Privacy by Design
As is illustrated above, it is not enough to talk about data security after the completion of the software solution manufacturing. Rather, it is much more effective to consider upholding the GDPR standards from the on-set for all software (and other digital) solutions that are anticipated to process the personal data of EU residents. PbD can no longer be seen as a stumbling block for the commercial collection and analysis of personal data. Besides the legal obligation for members of the European Economic Area (being the EU member states plus Iceland, Liechtenstein and Norway), we wish to outline three other good reasons for implementing PbD:
1) PbD strengthens your company’s corporate digital responsibility, thus increasing company value. Consciously implementing comprehensive data protection measures may give rise to a competitive advantage: it will increase stakeholder trust and is an indicator for responsible business behaviour for investors as well as potential partners.
2) It is much more complicated and expensive to install data protection measures after a software’s completion and launch. Too often we observe the struggles of tech companies being forced to re-design their software solutions to be GDPR compliant. It can cause serious processes disturbances as well as enormous personnel costs for the re-development and re-organisation.
3) Lastly, let us not forget the immense fines and reputational damages that PbD saves companies from. Fines for transgressions are given irrespective of the industry, country, company size or maturity level of the GDPR transgressor. Suitable privacy designs enable companies to act with legal certainty as well as economic safety.
Businesses with digital business models can no longer afford to turn a blind eye on data protection and information security regulations, guidelines and standards – Get professional help and increase the chances of enduring success of your next digital design and development projects.