Introduction

The concept of data privacy has been in papers way before the coming of the digital era, and so does the concept of Privacy by Design, which was introduced in the 90s by Ann Cavoukian, former Information and Privacy Commissioner for the Province of Ontario.

Privacy by Design (“PbD”) defines the nature of Privacy and how we must approach it. It means that at the beginning of an organization or a project’s existence, privacy must first be implanted, enabled and implemented into its very own foundation. Rather, than just looking at it from a compliance point of view and merely as a remedy against breaches and risks. Moreover, it should be adopted as a culture, and not as an add-on to your shopping cart list.

Let’s dive into how to implement PbD within an organization with its Seven foundational principles-

1. Privacy measures should be “Proactive not Reactive”; “Preventive not Remedial”

Taking this viewpoint, it can make your team’s life easy and save your organization from huge penalties, here’s why- This principle discusses the very nature of privacy, and how it benefits and add value to an organization when it is proactively utilised. The reasoning behind the implementation of privacy should be to detect and minimize/eliminate potential threats, not wait for the potential threats to cause harm first, and then implement security measures. That’s not how privacy should work. An example of this could be- Conducting a Data Protection Impact Assessment before processing or Transfer Impact Assessment before cross-border transfers.

• You must enable “Privacy as the Default setting”

This simply means that privacy must be implemented into the systems and processes as a default setting and by putting privacy at the forefront. Although, this looks the toughest to crack, however, it only minimizes the potential cyber risks. By enabling privacy as a default setting, your organization aims to achieve this by limiting the collection of data, not retaining the data after its purpose and ensuring that no users are required to act separately to protect their personal data. For example- having the personalised ads or precise location option turned off as a default setting.

• “Privacy embedded into Design”

Privacy must be implemented into the skin of the products/services that you offer from its initial stage. It should be treated as an integral part of your business practice. Lastly, it shouldn’t be considered an add-on or a strategy taken as countering measures against risks. In simple terms, this principle states that an organization must thrive to provide privacy at all stages while offering the users with its products/services. For example, ensuring an end-to-end encrypted platform, giving users the choice of receiving targeted ads, etc.

• Full Functionality – Positive-sum, Not Zero-sum

The fourth principle simply states that privacy by design is an approach which seeks to accommodate all legitimate interests, dismissing unnecessary trade-offs, and avoids all such false dichotomies such as privacy v security, etc, ensuring that by implementing privacy by design an organization could achieve a win-win scenario. For example, if an organization limits and minimizes data collection and data sharing, and destroys it according to its retention policy. This can ensure fewer security flaws, and enable users’ privacy to be at the forefront, without making any unnecessary trade-offs.

• End-to-End Security – Full Lifecycle Protection

This principle simply states that data privacy & protection goes hand in hand, and shall be delivered during the entire lifecycle of the data. An organization must ensure all reasonable security measures are taken that are industry-recognized right from data collection to deletion. For example- During a cross-border transfer of personal data, an organization must conduct a transfer impact assessment in order to assess and analyse the potential risks, and only then move ahead with such transfers.

• Visibility and Transparency – Keep It Open

This principle lays out that the privacy of the users means complete visibility and transparency of their data. To ensure this every organization must thrive to have easy-to-ready privacy and cookie policies. This could help users to understand exactly what happens with their data. Always remember, privacy is a trust-building initiative and has a direct impact on every organization.

• Respect for User Privacy – Keep It User-centric

And, lastly, privacy only comes by putting consumers/users at the top. Organizations must keep in mind that at last they are processing their users’ data, and must ensure to keep it consumer-centric by granting them control and visibility over their data. Data privacy should come in line with respecting the users’ experience throughout. For example- a user must have the right to seek correction & erasure of his/her data from any platform.