GDPR Privacy by Design made simple

The incoming General Data Protection Regulation, (GDPR), is causing a lot of upheaval across every industry that collects and uses the personal data of European Union citizens. The GDPR is a detailed and important directive in which its creators are attempting to make every detail explicit.

One explicit detail that will be the cause of nightmares among many, is the “Privacy by Design” concept, that features in articles 23 and 25 of the current GDPR draft. It means that whenever something new is created or developed that will have any relationship whatsoever with personal data, it must be created in such a way that data privacy is intrinsic to it – it can’t work without have data privacy among its core functions.

Or, put more simply:

Every new business process or service that uses personal data must protect that data, or take the protection of that data into consideration.

One example of this is where data controllers are processing data, the GDPR states they only hold and process the personal customer data that’s absolutely necessary to complete the required task. When conducting data processing, therefore, there must be a way to use only the bare minimum and exclude or delete the rest of the data from that specific process.

Another detail relating to privacy by design, is that data must only be held for as long as is required to only fulfil the processes the customer has agreed to. Ensuring there is a way to do this and that the data is then removed and rendered completely unavailable to anyone else, unless its specifically requested, is something that all companies must do, to be completely GDPR compliant.

Privacy by Design is a Fast-Growing Notion

In the world of technology in particular, privacy by design is a state that’s fast becoming popular. Of course, the introduction of GDPR in 2018 has helped with that. But, as more of people’s everyday lives involves a lot of online use and data storage, many people have come to the realisation that privacy has to be a prioritised consideration and not just an afterthought.

And that’s what the GDPR ‘Privacy by Design’ rule has been designed to nurture – putting thoughts about data privacy upfront in the development of a process, service or business.

Under the current EU Data Protection Directive, there is no concept or mention, at all, of privacy by design. Instead, the obligation is imposed on the data controller to ensure the data is private and protected.

By creating a Privacy by Design clause, the GDPR removes the onus on data protection and privacy from data controllers and shares it among a broader network. From 2018, technical and organisational processes must be created in a way that ensures they are working in a way that keeps customer data privacy at the heart of how they are designed.

Not only will new firms and designs always show they have made data privacy a key consideration, existing firms must do likewise when it comes to any changes they make. That includes the way they:

  • Collect data.
  • Store data.
  • Use data.

Will Start-Ups Struggle the Most with Privacy by Design?

On the face of it, you’d have to think the answer to that question is, yes. But, if you’re starting something completely fresh, in many ways, it can be easier to heed new rules and directives. That’s because you can run tests and see what works, without the risk of being hit by a potentially limitless fine.

Sure, you might need to puzzle out a new way of doing something to satisfy the Privacy by Design rule. But, if you’re still in the early stages you could come across a process or system that works well and can be used across the company, meaning you’re running a completely compliant business from day one.

Perhaps then, Privacy by Design is something that start-ups will be grateful for. After all, it’s easier to build a reputation for handling personal data in the right way, when you can show your business concept had that detail as a key consideration right from the very start.

Adaptation of Existing Processes Can Be Difficult

As data protection has come under closer scrutiny – culminating in the need for the GDPR in the EU – it highlights that much of the existing data management conducted by firms across all industries, isn’t good enough.

Where firms have added on data protection technology, programs and processes, they often aren’t doing the job properly. This means newer firms, still working out their business plan and systems, can avoid that by ensuring plenty of time and focus is given to data privacy.

For firms where much work is required to ensure they will be fully GDPR compliant by May 2018, they need to ensure they do the same; put enough time and consideration into incorporating the ‘privacy by design’ concept, into every relevant aspect of their business.

Areas where all businesses must focus on privacy and data protection in the early stages and throughout, include:

  • Beginning/joining a data sharing partnership or network.
  • Creating any new IT system that will be used to collect, store or access personal data.
  • Considering using data for new purposes.
  • When developing policy strategies or new legislation that have any relation to data privacy.

So, where firms are adding on new services, rules, systems or processes, privacy by design must always be carefully considered.

Privacy by Default

Privacy by default is another new concept that will be part of the final GDPR when it comes into force. It works as part of the Privacy by Design rule and means the strictest privacy settings available must always be the default for new customers. That’s regardless of whether they’ve indicated this is what they want. If they haven’t voiced a preference or explicitly stated exactly what privacy settings they do want, then the highest privacy level you have available, should always be the initial setting applied to their data.

Where its relevant, the user should be able to go into a system and change he privacy settings as they see fit. But, from the perspective of the business and data controller, when data is initially collected, stored and used, it must be done so under the strictest security settings available.

This is perhaps, one area that new companies and technology developments will struggle with the least, while existing systems and companies might struggle the most. But, it’s another important aspect of the GDPR and must be considered and adhered to, by all.

Data Privacy Won’t Ever Be Unimportant

With the implementation of the GDPR mere months away, there’s a lot of work ahead for many firms. However, it’s safe to say that data privacy won’t ever be considered unimportant or just another tick box again.

As such, you can implement your upgraded privacy and data protection processes, safe in the knowledge they will stand your business I good stead for the future, whatever it may bring.