Privacy by Design certification helps ensure acceptable privacy standards per the European Union’s (EU) General Data Protection Regulation (GDPR). Although certification is not explicitly a GDPR requirement, the concept of Privacy by Design (PbD) is. What certification achieves is one of the few up-front and tangible methods to demonstrate that protecting data subjects’ personal information is an essential consideration factored throughout systems design, service delivery, and ongoing management. Despite the GDPR’s recent publication, designing IT systems around data privacy is nothing new nor exclusive to the EU’s regulation.
Privacy by Design and the GDPR
The GDPR is all about data privacy and protection. Enacted in 2018 and applicable to organizations in the EU and those doing business with residents of the EU, it provides a set of standards that guide privacy best practices now and in the future. One of these standards, known as “Privacy by Design” (PbD), ensures that EU citizens’ personally identifiable information (PII) is a top priority for any organization that stores, processes, or transfers it.
PbD, as a concept, merely refers to the fundamental inclusion of cybersecurity and control measures to protect PII during systems design, development, and delivery. It’s a GDPR requirement stipulated in Article 25: Data protection by design and by default. Privacy by Design certification is achieved following a third-party assessment that verifies an organization’s systems are compliant with that aspect of GDPR.
To begin implementing PbD or pursue Privacy by Design certification, you’ll need familiarity with:
- Privacy by Design vs. Privacy by Default
- The principles of PbD
- Is Privacy by Design training and certification required?
- How to obtain Privacy by Design certification
Even if you’re not bound by the GDPR, you may be bound by similar regulations safeguarding PII (e.g., CCPA, VCDPA). Regardless, PbD is still the proper way to approach the adoption of PII safeguards.
Privacy by Design vs. Privacy by Default
The concept of Privacy by Design goes hand-in-hand with the idea of privacy by default. The GDPR requires both approaches, and each promotes privacy as a fundamental strategy and goal of your network. However, they achieve this in different ways:
- Privacy by Design – Guided by seven foundational principles, Privacy by Design promotes data privacy during every phase of organizational planning, development, and day-to-day delivery of systems and services.
- Privacy by Default – A closely related concept, Privacy by Default requires that all default system parameters and options are set for the maximum amount of user privacy. It also mandates that organizations only process data that is necessary for their specific, stated purpose.
For an easy relationship to remember, privacy by default can be considered the pragmatic realization of PbD.
The Foundational Principles of PbD
Originally established in the 1990s, the PbD concept revolves around a core of seven Foundational Principles. Although these were envisioned before the creation of the EU’s GDPR, they have since been adopted as part of the standard approach to data privacy.
The Foundation Principles of PbD are:
- Take a proactive or preventive approach
- Promote privacy as the default setting
- Embed privacy protections into the design phase
- Maintain full functionality
- Provide end-to-end security
- Maximize visibility and transparency
- Respect user privacy
1. Take a Proactive or Preventive Approach
Operationalizing Privacy by Design with a proactive or preventive approach is more efficient than reactive and remedial solutions. Analyzing and forecasting privacy risks puts you a step ahead of would-be identity thieves or potential mistakes, preventing security incidents before they happen.
2. Promote Privacy as the Default Setting
This principle corresponds directly to the concept of Privacy by Default. Providing the maximum amount of data protection helps keep hackers at bay while building trust with your users. Consider default configuration enforcement for functionalities like multifactor authentication or the automatic deletion of PII after a specified period.
3. Embed Privacy Protections into the Design Phase
From the outset, all systems design and service delivery must adopt PbD as a fundamental principle. If your organization incorporates PbD in this manner during strategic planning and design, you already have a roadmap to follow while developing the system (and delivering any services).
Essentially, to achieve PbD, your organization’s efforts can’t consider PII privacy as a possibility your system, application, or service can deliver or option users can choose. PbD must be embedded into every aspect, and it begins during the initial design phase.
4. Maintain Full Functionality
Also known as positive-sum, not zero-sum, this principle eliminates security and privacy trade-offs in favor of a system that directly benefits everyone involved. This includes consumers, end-users, and IT staff alike. Instead of sacrificing user privacy for organizational security, or vice versa, this principle reinforces the idea that both are achievable.
5. Provide End-to-End Security
PbD doesn’t mean that privacy is exclusively factored into the initial design stages. From the very moment any PII is collected, it must be safeguarded and remain private (aside from legitimate and authorized personnel interactions) until it is properly and permanently disposed of.
End-to-end security should also extend to all management processes and configurations, maintaining PbD through all relevant lifecycles (e.g., a given system implementation).
6. Maximize Visibility and Transparency
Provide users and stakeholders with maximum visibility and transparency at every turn. For users, start by:
- Asking their consent to collect information
- Telling them exactly:
- What kind of information will be collected
- How it’ll be used
- Why it’ll be stored
- How long it’ll be stored for
- Informing them:
- Where more information can be found
- How to contact your organization’s dedicated representative regarding data protection
In the event of a data breach or other serious incident, notify your users as soon as possible. This transparency only builds trust and shows your users that you respect their privacy.
For stakeholders, ensure that all design, development, delivery, and other policy and process documentation is readily available. Further, where possible, assure stakeholders that PbD is being adhered to (e.g., achieving PbD certification).
7. Respect User Privacy
Maintain focus on user privacy at all times, but do so in an accessible manner. The seventh principle somewhat relates to transparency in that your personnel should actively maintain a dedication to individuals’ data privacy. This extends to providing robust baseline security, informing them of how to best ensure their own privacy, and making it easy for them to do so.
In most cases, following the PbD Foundational Principles or achieving Privacy by Design certification will automatically meet your obligations for respecting user and data privacy.
Is PbD a Requirement?
The GDPR stipulates that the concepts of Privacy by Design and Privacy by Default are a requirement for all organizations subject to it. This generally includes organizations within the EU and any outside organization that stores, processes, or transfers data related to an EU citizen.
Privacy by Design certification, however, is not a legal requirement. Instead, it provides proof that an individual or organization understands and enforces PbD.
This technicality is analogous to a law requiring all drivers to know the rules of the road if a (non-required) license served to prove a given driver’s understanding of them. Similarly, Privacy by Design training can be considered “driver’s education”: not mandatory, but extremely beneficial to understanding PbD and achieving certification.
Organizations that fall outside of the boundaries of the GDPR may not be required to follow PbD. However, the emergence of similar regulations—such as the California Consumer Privacy Act (CCPA) and the Virginia Consumer Data Privacy Act (VCDPA)—may necessitate your adherence. Much like the GDPR, these two regulations apply to all interactions regarding state citizens’ personal data regardless of your organization’s location.
Furthermore, these principles and methodologies are helpful when pursuing compliance with other standards, including HIPAA.
Obtaining Privacy by Design Certification
Per GDPR Articles 42 and 43, Privacy by Design certification serves as proof of compliance with the regulation and PbD’s seven Foundational Principles. Note that Articles 42 and 43 pertain to all GDPR-related certifications.
Article 42 outlines EU Member State and GDPR stakeholders’ responsibility to provide (voluntary) certifications that demonstrate compliance. However, organizations should note that the official language states certification doesn’t negate ongoing compliance responsibilities. Article 42 also stipulates that these certifications’ validity may not exceed three years (but may be renewed upon meeting the same criteria).
Article 43 provides accreditation guidance regarding the entities performing training and certification. If your organization chooses to pursue certification, first ensure that the partner you will be working with is an accredited entity. The training content and certification processes are decided by these individual entities.
Building Trust Through Data Privacy and Protection
GDPR compliance—and, by associated PbD—is required for all organizations that interact with EU citizens’ personal data. Privacy by Design certification is one of the best methods for readily demonstrating to users, partner organizations, and stakeholders that you adhere to the regulation and PbD principles.
To find out more about PbD, the GDPR, or how you can safeguard the data on your network, contact RSI Security today.