Privacy by design and by default

Did you already encounter the two most popular buzzwords surrounding the GDPR? Privacy by design and privacy by default have been in circulation for quite a few years among privacy specialists, but with the GDPR now a common topic of conversation, their audience has grown considerably.

What do these concepts mean and how can you deal with them in practice? This article gets you prepared for the discussion in your organisation.

Privacy by design

Meet privacy by design, the holy grail of data protection. In brief, it means that, while preparing new products or services, you take the protection of privacy as one of the requirements in the design stage. Starting with an example from the real, physical world: if you design an office, current interior design dictates large open spaces and maximum transparency.

However, from a privacy by design perspective, you would probably have to prevent people from being able to watch one another’s screens, overhear conversations or have access to paperwork, by introducing privacy screens and lockers. Or, taking this even more fundamentally, introducing a personal room for each employee.

Digital privacy

This translates into the digital world as well. The questions you would have to ask before designing a software system and related working procedures are: can you do the job with less or no personal data (data minimisation)? Could you employ technologies that enhance the users’ privacy protection (so-called privacy-enhancing technologies or PETs)?

The answer should be affirmative in both cases. The usual response to designing something new is to collect as many personal data as possible. Obviously, you might need them for a future objective, but that is not sufficient reason. What is more, you are not permitted to do that under the GDPR, because the processing (including the data to be processed) needs to be in proportion with the purpose of the envisaged processing.

Take, for instance, the case of a public transport chip card. It is tempting to collect as many data as possible to learn about individual travel behaviour, such as storing dates and times of usage, and location information. However, data minimisation requires storing the minimum necessary for the purpose, which may be only distance travelled.

Technology and GDPR compliance

Privacy-enhancing technologies might, in this case, include storage of the information on the card only, not in a centralised database. Maybe it lets me download the card data to my own computer in order to see and save my own travel records. PETs might also include the use of encryption to prevent data access for unauthorised people in case of card loss.

Privacy by default

Then there is the criterion of privacy by default. In the above example of a public transport chip card, it means that where there is a choice, the more privacy-protective option should be the default. So when the chipcard allows me to make an account to gain insight into my own travel behaviour, that insight should be the most restricted by default.

If, for example, I want to be able to keep my (centralised) travel records for the full duration during which I have to maintain proof for tax deduction, it needs to be optional. The default option should be for a very restricted retention term that would not allow anyone to investigate my travel habits after that time has passed.

More than a method, privacy by design and privacy by default are a mindset; a way of looking at things differently in order to identify all the unnecessary data collection processing that is taking place in everyday life; a way of not luring people into choices they might not want to make if they would envisage the potential consequences.

Having said that, you might imagine that commercial or practical considerations often lead to different implementation choices than you might make on the basis of the two criteria mentioned. It is important to realise that privacy protection is also a matter of weighing interests. If you keep the purposes and means of your processing activities in reasonable proportion, you will still be able to prove your compliance with the GDPR in this respect.

PrivacyPerfect are a privacy governance and data mapping tool providers with thorough knowledge of European and national privacy legislation.