By the end of 2023, privacy laws will protect the personal information of 75 percent of the world’s population, and with the rise of cybercrime across the globe, data protection is top of mind for organizations that manage consumer data. So, when it comes to protecting data proactively, privacy by design (PbD) is an important tool to leverage. Coined in 1995 by Ann Cavoukian and formalized in a joint report with the Information and Privacy Commissioner of Ontario (Canada), the Dutch Data Protection Authority, and the Netherlands Organisation for Applied Scientific Research, data protection or privacy by design refers to when organizations incorporate data privacy features and/or enhancing technology when they develop, design, select, and use applications, services or products that contain the processing of personal data or process personal data to fulfill their task.
One of the reasons why organizations should incorporate PbD is because several countries are making it law. The most well-known example is the EU’s General Data Protection Regulation (GDPR) and the UK GDPR who have included privacy by design in Article 25. Indeed, the EU’s data protection regulatory body can impose fines of up to EUR 20 million or 4% of worldwide turnover for the preceding financial year, whichever is greater. In the third quarter of 2021, EU GDPR fines hit almost EUR 1 billion, which is 20 times greater than the totals for the first half of 2021 combined.
In the U.S., privacy by design is mentioned by the Federal Trade Commissioner (FTC) in their 2012 Protecting Consumer Privacy in an Era of Rapid Change report as one of their recommended practices. They have fined organizations for violating consumers' privacy as well: in 2020 the FTC has issued over USD 20 billion in fines.
Incorporating PbD has many benefits in addition to complying with the letter of the law. Because it is a set of best practices that have been developed over time by experts, it can help an organization create consistently stronger and more trustworthy products. Following the principles of privacy by design, which is laid out below, makes it easier for companies to identify issues in data protection. Doing so would also help companies mitigate risks and save money in case of a data breach because they would have safeguards in place to ensure practices like data minimization.
As mentioned above, privacy by design means incorporating data privacy into the design, selection, operation, and use of applications, services, or products. To successfully incorporate it, there are seven principles of privacy by design to follow:
- Proactive not reactive; preventive not remedial: act before the fact
- Privacy as the default setting: no action is needed from the individual to protect their privacy
- Privacy embedded into design: privacy should not be tacked on as an add-on after the fact
- Full functionality – positive-sum, not zero-sum: this is a “win-win” approach, there are no trade-offs: it is possible to have both privacy and security
- End-to-end security – full lifecycle protection: strong security measures are necessary to privacy, from the beginning to the end.
- Visibility and transparency – keep it open: commitments are spelled out for all stakeholders, and it can be proven subject to independent verification
- Respect for user privacy – keep it user-centric: the privacy interest of the user is of utmost importance, and they should be provided privacy defaults, appropriate notice, and empowering user-friendly options.
By following these seven principles, organizations not only align with current privacy laws and regulations, but organizations may also be addressing emerging privacy laws such as those that penalize deceptive design choices, such as dark patterns. With the rise in data privacy laws and cybercrimes around the world, organizations can utilize privacy by design as a tool to proactively protect the personal data of their customers. While implementing privacy by design can be a heavy lift at first, its return on investment can mean not having to pay fines imposed by regulators, ransom money or legal fees in case of a data breach.
In a prior article, we wrote about how implementing a privacy impact assessment process is a good initial step when promoting privacy by design.
© Copyright 2022. The views expressed herein are those of the author(s) and not necessarily the views of Ankura Consulting Group, LLC., its management, its subsidiaries, its affiliates, or its other professionals. Ankura is not a law firm and cannot provide legal advice.