We’ve turned the calendar on a new year and the significance of data integrity, security, and privacy is only increasing. With the impending General Data Protection Regulation (GDPR) coming into effect on May 25, 2018, there are a number of approaches and strategies to consider. Today, we’ll be focussing on Privacy by Design and Privacy by Default. Neither of these concepts are new, however, both will become a new legal requirement under GDPR. Let’s take a closer look.
What is Privacy by Design?
“Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step,” The Irish Computer Society (ICS) explains. “This includes internal projects, product development, software development, IT systems, and much more.”
Privacy by Design prioritizes privacy and data integrity in the initial design stages and throughout the development lifecycle of new products and services that involve processing personal data. Some of the benefits of a Privacy by Design approach include:
– It’s proactive, making it easier to address potential security flaws and privacy issues at the beginning of a project when everything is still in the elementary stages of development. With Privacy by Design, you have the luxury of recognizing and dealing with problems as soon as they emerge.
– Going back to address privacy issues after a product or project has already been implemented can have a negative impact on end users. With Privacy by Design, this is never an issue. The methods are already in place, which prevents unwanted pushback.
– Privacy by Design shows your organization, its partners, and most importantly, your customers, that you take data protection and security seriously.
While it may take more planning and energy upfront, Privacy by Design is a solid approach that offers a number of benefits for everyone involved.
What is Privacy by Default?
“Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user,” ICS explains.
Furthermore, Privacy by Default means any data or information provided by the user in order to enable a feature of the product or service should only be kept for the minimal amount of time needed to make the product or service function properly.
The major benefit of Privacy by Default is that it limits business-side risk and ensures savvy users are more comfortable using your products and services (knowing their confidential information will be protected and guarded against prying eyes).
Implementing Privacy by Design and Default
On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect. This means you have just a matter of months to get ready. If you’re unfamiliar with the basis of the GDPR, it’s essentially a binding set of laws designed to protect the privacy and personal information of citizens of the EU and other European Economic Area countries, It replaces the EU’s Data Protection Directive (DPD) and presents stricter regulations for businesses and organizations.
GDPR compliance applies to any organization that collects, stores, or processes data of EU residents – regardless of where that company is located. So, if you plan on doing business with EU consumers, the GDPR applies to you.
“One of the changes due to be implemented under the new General Data Protection Regulation (‘GDPR’) is the explicit recognition of the concepts of ‘Privacy by Design’ and ‘Privacy by Default’,” explains Sabba Mahmood of Fieldfisher. “Businesses will now find themselves subject to a specific obligation to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.”
As you think about implementing Privacy by Design and Privacy by Default into your products and services, here are some important things to consider:
1. What is Personal Data?
For starters, you need to understand what personal data is. According to European data protection law, personal data is any information about a living individual that could be used to identify the individual, either on its own or in conjunction with other information. This includes information like (but not limited to): name, address, email address, IP address, banking or other personal information, medical information, photographs, social networking posts, any data that can used to identify a person, etc.
2. Minimize the Amount of Collected Data
In the design stage, it will be important to carefully review all contracts and agreements with partners to ensure that any data being passed on is processed in strict accordance with Privacy by Design and GDPR standards.
Throughout the lifecycle of the product or service, going back to the basics means minimizing the amount of collected data and using pseudonymized personal data whenever possible.
3. Educate End Users
It’s not enough to implement Privacy by Design. In order to stay in line with GDPR guidelines, it’s important to continually educate your end users of data and privacy best practices.
Customers should be given clear privacy and data sharing notices that explain everything that your business is doing with personal information. They should also be periodically reminded to review and refresh privacy settings.
It’s also wise to regularly review user accounts and delete the data of old users who have closed/inactive accounts.
Secure Your Data With Virtru
At Virtru, we believe that privacy is a fundamental human right, and that businesses, governments, and other institutions have a responsibility to protect sensitive content. We understand the need for advanced security features in today’s hostile cyber landscape, which is why we’ve developed a suite of products and solutions to protect sensitive data, ensure compliance, and protect against dangerous threats.
If you’re interested in learning more about how Virtru can help your organization, let’s chat. Or get our Simple Guide to GDPR Data Protection Requirements to help you prepare you as you think through the implications of this fast-approaching regulation.