Privacy by design (PbD) is a preventative approach to data privacy protection developed by Dr. Ann Cavoukian in the 1990s. Its initial purpose was to develop a robust, scalable model for data privacy that would surpass “privacy enhancing technologies” (PETs) and then-weaker regulatory compliance requirements to guarantee full data privacy. To this day, companies’ privacy by design programs are informed by this revolutionary document.
Beginner’s Guide to Privacy By Design Principles
The formal Privacy by Design: The 7 Foundational Principles document was published in 2009 and subsequently updated in 2011. Privacy by design is not a framework per se, in that it does not prescribe specific controls companies need to install, nor specific metrics by which to gauge its designed privacy.
Privacy by Design prescribes a set of seven guiding principles:
- Proactivity not reactivity
- Privacy as a default
- Embed privacy in design
- Uncompromised functionality
- End-to-end lifecycle security
- Maximal transparency and visibility
- User-centered privacy design
After describing each, this article will explore some compliance considerations informed by the privacy by design principles and how to develop a comprehensive privacy by design policy.
PbD Principle #1: Design for Proactivity, Not Reactivity
Instead of designing measures to address privacy breaches as they occur, companies should try to prevent them from occurring in the first place. This requires robust risk monitoring and an integrated threat and vulnerability management program to identify and mitigate privacy risks before they materialize into attacks, leaks, or other breaches that compromise data privacy.
PbD Principle #2: Ensure Privacy is the Default Quality
Ideally, privacy should be the default setting that no staff member or client has to go out of their way to uphold. Rather, it should be exceedingly difficult to breach data privacy—whether accidentally or as an intentional attack attempt. Companies can design their system defaults to ensure minimal effort is required to uphold privacy.
PbD Principle #3: Embed Privacy into All System Design
Instead of “adding on” privacy measures as complements to existing systems, they should be integrated as constitutive elements of all parts of a company’s cybersecurity architecture. When companies fail to embed privacy into their design from the ground up, the visibility and control can be compromised. Privacy needs to be among the first and last design elements considered.
PbD Principle #4: Aim for Uncompromised Functionality
Privacy is a positive-sum goal, not a zero-sum goal. Companies should avoid any designs that trade privacy for other functionalities or qualities, such as transparency or integrity. There should be no compromises made with respect to privacy, whether privileging it or sacrificing it. If a compromise or gap is identified, a dedicated patch management program can identify and eliminate gaps with immediate patches.
PbD Principle #5: Establish End-to-end Lifecycle Security
Companies should ensure privacy over the entire lifecycle of each individual piece of data, up to and including its safe termination. To ensure safe disposal, all personal or personally identifiable information (PII) must be removed from data. A dedicated PII scanner can help execute regular scans of all data within a company’s system to identify and track PII across all files’ lifecycles.
PbD Principle #6: Maximize Transparency and Visibility
All stakeholders should be assured that systems and technologies used to manage their data are private, with visibility over all transactions and processes enacted upon data that belongs to them or pertains to them. Companies should facilitate access to metadata about clients’ data through user-friendly platforms, and any requests for information must be answered promptly.
PbD Principle #7: Prioritize Respect for Users’ Privacy
Privacy by design should center around the users to whom data belongs; both their rights and their best interests should be respected above all else. Data subjects’ interests should come before those of the company itself, unless protecting data privacy for a small subset of files could potentially harm the privacy or security of many other clients’ data. In short, companies should always seek to minimize overall harm.
Privacy By Design and Compliance
While privacy by design is not a framework nor regulatory document itself, it has come to shape many other regulations. One of the most widely applicable for companies in the US is the California Consumer Privacy Act (CCPA). First established in 2018, the CCPA is designed to guarantee California residents certain essential rights with respect to their data. These include:
- The right to know about all personal and personally identifiable information any business is collecting from or about them, and all ways in which that data is being used or shared.
- The right to delete personal information collected from or about them, with exceptions.
- The right to opt-out of sale or other use of their personal or personally identifiable data.
- The right to exercise CCPA rights without discrimination or retaliation from businesses.
These rights must be upheld by most entities that do business in California and collect or process Californians’ personal data. In particular, if your business earns a gross annual revenue of $25 million, processes data pertaining to 50 thousand households, or earns more than half of your annual revenue through the sale of consumers’ personal data, you must be CCPA compliant.
Note: CCPA presently does not require specific privacy controls, such as the implementation of a privacy by design framework. The California Privacy Rights Act of 2020 (CPRA) may augment CCPA protections in the future, establishing more explicit data privacy rules and regulations.
Privacy By Design and EU GDPR Regulations
One set of regulations in which data privacy requirements are explicitly established is the European Union (EU) General Data Protection Regulation (GDPR). The EU GDPR applies to most companies that collect, store, or process data of or pertaining to EU citizens, regardless of where a company is located or does business. The CCPA is largely modeled off of the GDPR.
One function of the GDPR is establishing rights data subjects can reasonably expect, such as:
- Data controllers must facilitate transparency and accessible modalities, per Article 12.
- Data subjects have the right to access their data and metadata about it, per Article 15.
- Data subjects have the “right to be forgotten” and can erase their data, per Article 17.
- Data controllers must honor subjects’ objections and cease processing, per Article 21.
Another function is establishing when sensitive data can be processed, per GDPR Article 6:
- Data may be processed if the data subject provides full consent to the data controller.
- Data may be processed to satisfy pre-existing contractual obligations between parties.
- Data may be processed to satisfy or comply with legal obligations on the data controller.
- Data may be processed to serve vital interests of the data subject or a representative.
- Data may be processed to serve the public interest or that of an official state authority.
- Data may be processed to serve the best interests of the data controller or a third party, unless these conflict with interests of a data subject—the latter must always take priority.
Finally, the GDPR establishes strict protocols for data oversight and staffing responsibilities.
Installing an EU GDPR Data Protection Officer (DPO)
Companies that process large quantities of data, especially large quantities of personal data pertinent to EU citizens, may need to install a Data Protection Officer (DPO) per the GDPR Article 37. In particular, this rule applies to companies in which data is processed by a public authority, the data controller or processor requires data monitoring for large-scale datasets, or significant amounts of data being processed are protected under GDPR Article 9 or Article 10.
The DPO can be an internal resource specifically designated to this role, or it can be outsourced to an external managed security services provider (MSSP). RSI Security offers dedicated DPO services, both individually and as part of our broader EU GDPR compliance services. We help companies implement all GDPR data privacy safeguards. A DPO can also ensure compliance with current and future CCPA requirements, along with all other legal or business requirements.
Implement a Robust Privacy By Design Program
The seven privacy by design principles are useful for all companies, whether or not CCPA or GDPR compliance apply. Most companies in the healthcare sector have to follow the HIPAA Privacy Rule, for example, and any company that processes credit card payments needs to ensure privacy for cardholder data, per PCI-DSS. Implementing a privacy by design program is one efficient way to meet or surpass all these requirements. To get started with PbD, contact us today!