The GDPR requires organisations to implement appropriate technical and organisational measures to implement data protection principles and safeguard individual rights. While data protection by design and by default (or ‘privacy by design’) is not a new concept, the GDPR makes it a legal requirement, and thus practical guidance is needed for implementation
This article will discuss these concepts and requirements in the context of recent guidance published by the European Data Protection Supervisor (EDPS) and the UK Information Commissioner’s Office (ICO), as well as other frameworks that can be leveraged to put policy into practice.
Intro to Privacy by Design
Privacy by Design is a framework encouraging the proactive embedding of privacy into the design specifications of information technologies, network infrastructure and business practices, thereby achieving the strongest privacy protections possible. The term “privacy by design” was originally coined by Dr. Ann Cavoukian while she was the Information ad Privacy Commissioner of Ontario, Canada. Dr. Cavoukian broke PbD down into “7 foundational principles.”
“Privacy as the Default Setting” is the second principle on Dr. Cavoukian’s list:
Build in the maximum degree of privacy into the default settings for any system or business practice. Doing so will keep a user’s privacy intact, even if they choose to do nothing.
In other words, the individual should not bear the burden of data protection when using a service or product, but rather, should enjoy “automatic” protection of their data and privacy rights as the default without having to take additional steps of their own, thereby lifting the burden off of the individual.
EDPS Preliminary Opinion on Privacy by Design
In May 2018, the EDPS issued a Preliminary Opinion on Privacy by Design in which they distinguish between “the general principle of ‘Privacy by Design’ which encompasses an ethical dimension consistent with the principles and values of the EU Charter of Fundamental Rights, and the specific legal obligations provided by Article 25 of the GDPR.” In the Opinion, the EDPS also “provides examples of methodologies to identify privacy and data protection requirements and integrate them into privacy engineering processes with a view to implementing appropriate technical and organisational safeguards” as well as “standardization efforts to integrate privacy requirements in system design and the state of the art of privacy enhancing technologies.”
According to the EDPS, the term “privacy by design” means “the broad concept of technological measures for ensuring privacy as it has developed in an international debate over the last few decades,” while the term “data protection by design and by default” refers to “the specific legal obligations established by Article 25 of the GDPR.” The EDPS goes on to clarify that while the measures implemented to address Article 25 “will also contribute to achieving the more general objective of ‘privacy by design’ . . . a wider spectrum of approaches may be taken into account for the objective of ‘privacy by design’ which includes a visionary and ethical dimension, consistent with the principles and values enshrined in the EU Charter of Fundamental Rights of the EU.” In this way, the EDPS interprets PbD as being the more high-level, over-arching and aspirational concept (i.e., “the principles and values”) and Article 25 being a more focused application or implementation of that broad concept—it might be analogous to the relationship between a high-level policy and a low-level procedure.
The EDPS also explained their role in privacy by design, stating for example that they will:
continue to promote privacy by design, where appropriate in cooperation with other data protection authorities in the EDPB;
support coordinated and effective enforcement of Article 25 of the GDPR and related provisions;
provide guidance to controllers on the appropriate implementation of the principle laid down in the legal base; and
together with the DPAs of Austria, Ireland and Schleswig-Holstein, launch a competition for a privacy friendly app in the mobile health domain.
The opinion also mentions the EDPS’s cooperation in the International Working Group on Data Protection and Telecommunications (IWDGDPT, “Berlin Group”), a group of national data protection authorities from around the world, as well as representatives from the private and NGO sectors. The Opinion also includes an analysis of “the international dimension of privacy by design,” pointing to adoption of the concept in Canada, Australia, Israel, the U.S., and of course, the EU.
With regard to the U.S., the Opinion references a 2012 report by the U.S. Federal Trade Commission (FTC) which proposed privacy by design as one of three main concepts, as well a statement by FTC Commissioner Edith Ramirez that echoed Dr. Cavoukian’s principle of “privacy as the default setting”:
[Privacy] must be something that an engineer or website developer instinctively thinks about when writing code or developing a new product. Respecting privacy must be considered integral to the innovation process. . . . privacy by design helps lift the burden of privacy protection off the shoulders of consumers.
Along those lines, the EDPS notes that “the FTC definition of privacy by design can be seen as quite similar (methodologically and even substantially to a large extent) to what is in the EU law in all its dimensions . . . and is clearly formulated with a view to the practical implementation of the principle.”
But the FTC is not alone in the U.S. The EDPS also makes note of the National Institute of Standards and Technology (NIST), an agency of the U.S. Department of Commerce, which recently issued an internal report on Privacy Engineering and Risk Management in Federal Systems that includes a privacy risk model and a methodology to implement privacy requirements when engineering systems processing personal data.
In terms of guidance on implementation of privacy by design, the EDPS outlines the following three steps:
Define a methodology to integrate privacy and data protection requirements as part of projects aiming at developing and operating a process, procedure or system processing personal data;
Identify and implement adequate technical and organisational measures to be integrated in those processes, procedures and systems to protect individuals and their data. Technological innovation can be a tool to support those measures; and
Integrate the support for privacy in the management and governance framework of the organisation, by identifying tasks and defining and allocating resources and responsibilities.
The Opinion also references a plethora of guidance documents for implementing privacy by design. We highly encourage you to take a look at the opinion and its lengthy bibliography.
UK ICO Guidance on Data Protection by Design and Default
The UK ICO has also published guidance, and like the EDPS, acknowledges that the concept of ‘privacy by design’ is “not new” and has “always been part of data protection law.” However, they note that the key change is that it now becomes a legal requirement under the GDPR. Like the EDPS opinion, the guidance also credits Dr. Cavoukian with developing the concept of privacy by design while acknowledging that “privacy by design is not necessarily equivalent to data protection by design.”
The guidance begins by includes a helpful checklist of items to consider when assessing compliance with Article 25, including
whether risks and privacy-invasive events are anticipated before they occur;
whether personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals do not have to take any specific action to protect their privacy (again, a common theme that we have discussed throughout this article);
whether strong privacy defaults, and user-friendly options and controls are offered; and
whether privacy-enhancing technologies (PETs) are used.
In terms of implementation, the ICO calls out data protection impact assessments (DPIAs) as being “an integral part of data protection by design and by default” and notably calls out senior management, software engineers, system architects and application developers as being the parties primarily responsible for complying with data protection by design and by default. For example, senior management is responsible for “developing a culture of ‘privacy awareness’ and ensuring you develop policies and procedures with data protection in mind”; while software engineers, system architects and application developers “should take account of data protection requirements and assist you in complying with your obligations.”
However, the guidance also points out that Article 25 “doesn’t apply only if you are the type of organisation that has your own software developers and systems architects.” In other words, you also need to “ensure that you embed data protection by design in all your internal processes and procedures”—it is not necessarily a tech-focused requirement.
There are a variety of tools available today that are designed to assist with putting privacy by design into practice. OneTrust, for example, has a number of tools specific for privacy program management as well as marketing and web compliance. Using tools like OneTrust can help to streamline workflows, enable greater collaboration between the privacy office and business teams, and operationalize Privacy by Design.
In addition, Article 25(3) of the GDPR states that an “approve certification mechanism . . . may be used as an element to demonstrate compliance with the requirements” for data protection by design and default. According to the UK ICO, this means that once an approved certification mechanism is available, it can be used as tool to “assist you in showing how you are complying with, and implementing, data protection by design and by default.
At this time, these “approved certification mechanisms” do not exist. However, other certification frameworks are available that could be used in an effort to demonstrate how privacy by design has been implemented in your organization. For example, a Privacy by Design Certification is being offered by the Privacy by Design Centre for Excellence at Ryerson University.
Developed to advance the operationalization of Privacy by Design, this certification is an important step for companies and organizations who are working to embed Privacy by Design into their everyday processes.
Successful completion of the certification allows an organization to display a “Certification Shield” that can be used to help “demonstrate to consumers that they have withstood the scrutiny of a rigorous third party assessment, assuring the public that their product or service reflects the viewpoint of today’s privacy conscious consumer.”
The basis for the certification are the 7 Foundational Principles of Privacy by Design created by Dr. Ann Cavoukian, and the process of obtaining the certification begins with submitting an application, followed by an assessment conducted by a third-party scrutinizing your organization’s products, services and/or offerings being certified, including interviews and an examination of operational processes. A report is ehen issued based on an “assessment methodology and scorecard technique developed exclusively” for the certification. As of today, eight certifications have been awarded.
The GDPR requires organizations to put in place appropriate technical and organizational measures to implement the principles of the GDPR and to safeguard individual rights. This means that these organization need to “bake” privacy and data protection into their processing activities, products and services, and business practices, from the design phase and throughout the entire lifecycle. While this is not a new concept, privacy by design is more important now than ever as it has become a legal requirement and a growing business requirement for success in the 21st century.