Following on from last month’s post about the impact of the forthcoming EU General Data Protection Regulation (GDPR) and its impact on software and website development I would like to focus this post on the concept of Privacy by Design and Privacy by Default.
The broader aim of the GDPR is to enhance and unify the users’ rights with respect to privacy within the EU. Current data protection legislation is patchy and outdated between different countries in Europe. This means that companies are able to pick and choose which privacy laws relate to their operations, and consumers do not know what they are consenting to when they give information and what their rights are.
The GDPR aims to strengthen and harmonise the rights of data subjects who are citizens of the EU and places duties on data controllers and processors to adopt Privacy by Design principles in the design / redesign of processes and technologies. The most high profile systems that businesses use to interact with customers are usually websites and customer portals, but the impact of the regulation will mean that internal processes and systems that handle customers private information will also need to be assessed for compliance.
Privacy by Design
Privacy by Design (PbD) is a new obligation in the management of privacy data (Personally Identifiable Information, or PII) that is being introduced with the GDPR. It is mandatory and Data Controllers must implement (and evidence) that they have taken a PbD approach to comply with the regulations.
The concept of Privacy by Design originated with aim to protect the users’ privacy and give them control over how their data is used.
Privacy by Design is an example of value sensitive design, whereby the values of data subject privacy are given primacy during the design stage.
Privacy is often considered as an optional extra or bolt on at deployment time but GDPR will demand documentation and evidence from data controllers that these aspects have been considered at product design time.
Building for privacy at design time captures potential problems early, and documenting this process provides evidence to auditors and can help to flag data governance issues.
The original principles of Privacy by Design originate within the Office of the Information Commissioner of Ontario, (see a definition here) and have 7 foundational principles:
- Proactive not reactive; Preventative not remedial. Consider privacy early in the design stage.
- Privacy as the default setting. The PbD approach respects the right of the data subject as the owner of their information and systems should be designed to always ask permission and the data controllers should seek to minimise their collection based on need.
- Privacy embedded into design. Privacy should be embedded into all product features, and be fully tested with this in mind.
- Full functionality. Privacy engineering should not compromise product features. There is always a privacy aware alternative to whatever business functions are required. Products should be fully configured to work with privacy, not against privacy.
- End-to-end security. Privacy should be maintained throughout the full lifecycle of the data. This can be achieved by modelling the full lifecycle of data from collection, through usage to destruction or archiving.
- Respect for user privacy – keep it user-centric by recognising that the customer is the owner of the data and that it must be kept securely, be correct and should only be used under the conditions for which the user has granted.
As part of a GDPR implementation the guidance notes provided by the UK Information Commissioner give some idea of what is expected from a compliance point of view, although implementation details will vary from business to business.
Data Controllers will need to consider data protection requirements when creating, updating or redesigning technologies, products or services or other data processing activity.
This means that data controllers will need to take account of the following at the design stages:
- Build in the subjects request rights under the GDPR into software. This will include the right to data portability and the right to be forgotten.
- Identification of any risks to the rights and freedoms of individuals. This would usually be done by undertaking a risk assessment exercise or (preferably) a Privacy Impact Assessment (PIA).
- Understanding the data flows of products and services and identifying potential privacy concerns when data crosses system boundaries (for example as it passes to other data processing functions).
- Developing new standard processes and templates for projects and systems to ensure compliance with GDPR.
Privacy by Default
Related to this, the concept of Privacy by Default takes a technological approach that is there to ensure that systems, applications and websites take a Data Security aware approach to handling privacy data.
These capabilities need to take account of the ‘state of the art’ with regards to technology choice and should include:
- Pseudonymisation or (deterministic / homomorphic) encryption of data by default. Ensuring that data encrypted by one app is secure from reads by other apps. Pseudonymisation in particular should be used where websites seek to carry customer marketing data across devices where persistent ID information is held.
- Asking users explicitly for consent that cookies can be set and which type of information could be stored in them. Currently, many websites display a simple ‘cookies’ are in use on this website’ message, but nothing about the content these contain. GDPR will demand more visibility from data controllers about the setting and content of cookies on the users devices.
- Data stored about data subjects should be limited by need. As an example, location data should always be requested and not requested if it is not needed to provide the service.
- Solutions should also be designed to fail gracefully with security, helping to ensure, for instance that privacy data is not compromised in the event of a technology component failure.
- Technology solutions should also be designed to handle those cases where the user expressly forbids the collection of their data. This allows data subjects to control the amount of data that they choose to share with websites. Applications should be designed to accommodate cases where users choose not to share information.
- Unsubscribe notifications should be designed to be less opaque and more accessible, so that users are able to easily identify exactly which communications they are opted in to.
The risk to privacy within the area of systems development is well known and documented, not only through the cases where privacy is breached, but also through technical guidance provided by bodies like OWASP .
The GDPR legislation aims to give data subjects more control over the information that is stored and shared about them. Although this is a complex piece of legislation and some of the finer details around the implementation and evaluation of PbD methods and validation is still being finalised, the intention is to ensure that through respecting the privacy of EU citizens it will allow properly safeguarded data systems to engender and enable trust in digital interactive business.
Companies will need to address the requirements for compliance with the legislation by ensuring that they have followed the Privacy by Design and Privacy by Default guidelines.
The processes followed should be evidenced and documented by companies, and their websites should clearly state the actions that they are taking to protect the privacy of consumers.
Although there will be costs involved for companies, there will also be benefits too.
These include increased visibility and transparency with customers, improved customer communications, data flow and process understanding, greater protection of customer personal details and opportunities for improved Public Relations.
One of the underlying aims of the GDPR is to create an online environment that can be used to build digital trust in customer interactions and a recognition that it is no longer acceptable for data collection and processing organisations to avoid responsibility for the failure to keep data secure by seeking to make privacy governance a whole enterprise responsibility.