We’ve turned the calendar on a new year and the significance of data integrity, security, and privacy is only increasing. With the impending General Data Protection Regulation (GDPR) coming into effect on May 25, 2018, there are a number of approaches and strategies to consider. Today, we’ll be focussing on Privacy by Design and Privacy by Default. Neither of these concepts are new, however, both will become a new legal requirement under GDPR. Let’s take a closer look.
“Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step,” The Irish Computer Society (ICS) explains. “This includes internal projects, product development, software development, IT systems, and much more.”
Privacy by Design prioritizes privacy and data integrity in the initial design stages and throughout the development lifecycle of new products and services that involve processing personal data. Some of the benefits of a Privacy by Design approach include:
While it may take more planning and energy upfront, Privacy by Design is a solid approach that offers a number of benefits for everyone involved.
“Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user,” ICS explains.
Furthermore, Privacy by Default means any data or information provided by the user in order to enable a feature of the product or service should only be kept for the minimal amount of time needed to make the product or service function properly.
The major benefit of Privacy by Default is that it limits business-side risk and ensures savvy users are more comfortable using your products and services (knowing their confidential information will be protected and guarded against prying eyes).
On May 25, 2018, the General Data Protection Regulation (GDPR) will go into effect. This means you have just a matter of months to get ready. If you’re unfamiliar with the basis of the GDPR, it’s essentially a binding set of laws designed to protect the privacy and personal information of citizens of the EU and other European Economic Area countries, It replaces the EU’s Data Protection Directive (DPD) and presents stricter regulations for businesses and organizations.
GDPR compliance applies to any organization that collects, stores, or processes data of EU residents – regardless of where that company is located. So, if you plan on doing business with EU consumers, the GDPR applies to you.
“One of the changes due to be implemented under the new General Data Protection Regulation (‘GDPR’) is the explicit recognition of the concepts of ‘Privacy by Design’ and ‘Privacy by Default’,” explains Sabba Mahmood of Fieldfisher. “Businesses will now find themselves subject to a specific obligation to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.”
As you think about implementing Privacy by Design and Privacy by Default into your products and services, here are some important things to consider:
For starters, you need to understand what personal data is. According to European data protection law, personal data is any information about a living individual that could be used to identify the individual, either on its own or in conjunction with other information. This includes information like (but not limited to): name, address, email address, IP address, banking or other personal information, medical information, photographs, social networking posts, any data that can used to identify a person, etc.
In the design stage, it will be important to carefully review all contracts and agreements with partners to ensure that any data being passed on is processed in strict accordance with Privacy by Design and GDPR standards.
Throughout the lifecycle of the product or service, going back to the basics means minimizing the amount of collected data and using pseudonymized personal data whenever possible.
It’s not enough to implement Privacy by Design. In order to stay in line with GDPR guidelines, it’s important to continually educate your end users of data and privacy best practices.
Customers should be given clear privacy and data sharing notices that explain everything that your business is doing with personal information. They should also be periodically reminded to review and refresh privacy settings.
It’s also wise to regularly review user accounts and delete the data of old users who have closed/inactive accounts.
At Virtru, we believe that privacy is a fundamental human right, and that businesses, governments, and other institutions have a responsibility to protect sensitive content. We understand the need for advanced security features in today’s hostile cyber landscape, which is why we’ve developed a suite of products and solutions to protect sensitive data, ensure compliance, and protect against dangerous threats.
If you’re interested in learning more about how Virtru can help your organization, let’s chat.