A guide to GDPR privacy by design requirements

The General Data Protection Regulation (GDPR) is one of the most strict and heavily enforced privacy laws in the world, with the goal of protecting the Personally Identifiable Information (PII) of residents of the European Union. The law achieves this goal by requiring certain websites that GDPR applies to have a Privacy Policy, providing privacy rights to consumers, and by imposing restrictions on the collection, use, and disclosure of PII. One specific requirement of this law is GDPR privacy by design, which requires the integration of privacy into the development and creation of new devices, systems, and operations. In this article, we will break down the GDPR privacy by design requirement and discuss the following:

• What is privacy by design and its requirements;
• Requirements for developers of technology;
• The seven foundational principles of privacy by design; and
• Steps to implementing privacy by design.

Table of Contents

What is GDPR privacy by design?

The term “privacy by design” was originally coined by Ann Cavoukian, the former Information and Privacy Commissioner of Ontario, Canada, and the term signifies that it is important to consider privacy requirements from the design phase and embed those requirements throughout the entire data lifecycle. Privacy requirements should be embedded into the design and architecture of IT systems and business practices so that PII is always protected. A key element of this concept is that an individual should not have to do anything to protect their privacy as it is built into the system by default.

This concept interacts with GDPR in Article 25 – data protection by design and default. While Article 25 requires data controllers to implement appropriate technical and organizational measures that are designed to implement data protection principles, it is clear that following the requirements of privacy by design will aid you in complying with Article 25. In fact, the Resolution on Privacy by Design states that this principle is an essential component of fundamental privacy protection. Under GDPR, you must implement appropriate technical and organizational measures to ensure that your processing meets GDPR standards. The following factors need to be taken into account when determining whether the measures are appropriate:

• The state of the art;
• The cost of implementation;
• The nature, scope, context, and purposes of the processing; and
• The risks of varying likelihood and severity for the rights and freedoms of natural persons.

Requirements of developers of technology

While GDPR itself only mentions data controllers, that does not mean that website, application, or other technology developers are off the hook when it comes to GDPR privacy by design. Recital 78 provides the requirements for developers by stating “when developing, designing, selecting and using applications, services and products that are based on the processing of PII, developers should be encouraged to take into account the right to data protection when developing and designing such products, services and applications.” Under the GDPR privacy by design requirement, developers need to ensure that their clients are able to fulfill their data protection requirements.

Seven principles of privacy by design

The concept of GDPR privacy by design is characterized by seven foundational principles, which provide additional information on how this concept is implemented into practice. These principles are as follows:

1. Proactive, not reactive. Preventative, not remedial. You must anticipate and prevent privacy incidents before they happen;
2. Privacy as the default setting. If an individual does not take any action, their privacy must still be preserved by default;
3. Privacy embedded by design. Privacy features should not be an add-on; privacy must be an essential component of the core functionality being delivered;
4. Full functionality – positive-sum, not zero-sum. Privacy should not be a trade-off and it is possible to have both privacy and security;
5. End-to-end security – full lifecycle protection. Privacy by design extends security throughout the entire lifecycle of the PII, ensuring that strong security measures as implemented from start to finish;
6. Visibility and transparency. All of the component parts of a business practice or technology must remain visible and transparent to users and providers; and
7. Respect for user privacy – keep it user-centric. You should respect users by offering them measures such as strong privacy defaults, appropriate notice (aka Privacy Policy), and empowering user-friendly privacy options.

Steps to implementing GDPR privacy by design

By now, you can hopefully see why implementing privacy by design is an integral part of GDPR compliance. If you are wondering what steps you should take to implement this concept into your work and organization, consider the following guidelines from the European Data Protection Supervisor:

• Define a methodology to integrate privacy and data protection requirements as part of projects that concern the processing of PII;
• Identify and implement adequate technical and organizational measures to protect PII; and
• Integrate the support of privacy in the management and governance framework of your organization, by identifying tasks and defining and allocating resources and responsibilities.

GDPR privacy by design is a goal that you should strive for throughout your projects, systems, infrastructure, and organization. Use Termageddon’s Privacy Policy generator to help create your GDPR ready Privacy Policy that adequately discloses your PII collection, use, and disclosure practices to users.