Latest News

One of the core changes that the GDPR will introduce next year is the concept of ‘privacy by design’, which wasn’t touched upon in the previous Data Protection Act

General Data Protection Regulation - "Privacy by Design"


One of the core changes that the GDPR will introduce next year is the concept of ‘privacy by design’, which wasn’t touched upon in the previous Data Protection Act. Implementing privacy by design isn’t a requirement of the act – it’s more of a recommendation. This doesn’t mean you should ignore it, as it should make complying with your obligations easier and help you build a more secure and sustainable business in the long-run.

The wording of the GDPR is ambiguous, however the Information Commissioner's Office (ICO) has put forward a much clearer description of privacy by design, which is “an approach to projects that promotes privacy and data protection compliance from the start.”

Privacy by design would be very relevant if you were installing a new IT system, implementing a data sharing initiative or, as a start-up, it would form an integral part of building your business from the ground up. The benefits of taking this approach are numerous, not only helping you to comply with the GDPR, but also enabling you to identify potential privacy issues earlier, address them in a simpler and less costly way, while also encouraging innovation and protecting your business reputation.

To understand this in more detail, seven ‘foundational principles’ of privacy by design have been established by The Information & Privacy Commissioner of Ontario (IPC), which are designed to help businesses introduce the approach. They are:

1) Proactive not reactive – preventative not remedial: You should aim as much as possible to anticipate and prevent data privacy risks before they happen. You shouldn’t wait for risks to materialise or take action after privacy infringements have occurred.

2) Privacy as the default setting: Customer information should be automatically protected by IT systems and processes. If an individual does nothing, their data should be protected. This is in keeping with the GDPR’s ‘opt in vs opt out’ stipulation.

3) Embed privacy into design: This is the point about privacy being integrated into technology and systems from the beginning, not bolted on afterwards.

4) Retain full functionality: Privacy by design aims to avoid unnecessary trade-offs, whereby functionality or security suffers as a result of privacy – or vice versa. Your product or service should work just as well with privacy incorporated.

5) Ensure end-to-end security: This refers to the need for privacy to extend throughout the lifecycle of the data involved. It should be obtained, retained and destroyed with privacy concerns in mind.

6) Maintain visibility and transparency – keep it open: Processes and operations should be visible and transparent to users and providers, giving reassurance that data is being treated in compliance with regulations and best practice.

7) Respect user privacy – keep it user-centric: Privacy by design should always design systems and processes in the interests of the user, with privacy defaults, appropriate notice and user-friendly options.

Privacy by design requires a shift in mindset and approach, which puts privacy front-and-centre of how organisations operate. It might not come easy to begin with, but with the data mountain continuing to grow and organisations facing increasing penalties and reputational damage for shirking their responsibilities, the future of your business could depend upon it.