When it comes to GDPR, there are many things that you as a company and employee need to consider. This applies, among other things, to Privacy by Design (PbD). PbD was originally developed by Canadian Ann Cavoukian, who worked with information security. PbD refers to Article 25 of the GDPR rules, where the concept is included. Cavoukian divides PbD into 7 pillars or principles to make them more tangible.
Privacy by Design is essentially data protection by design, which includes work processes, IT systems and the physical infrastructure that provides the framework for information security - and the processing of personal data.
The PbD focuses on risk management and how to best protect personal data throughout its processing and handling. This is from the moment the personal data is collected until it is deleted from the systems. This applies to both data in hardware and software, handling processes or services.
First pillar: The proactive way
As we know from cybersecurity, the proactive approach to combating personal data mismanagement is the most effective and profitable approach. In other words, you need to be there before a risk emerges.
That's why the first pillar of PbD is about being ahead of the curve. This applies to everything between processes, procedures, processing and infrastructures in the company. Personal data security must be ensured in the best possible way, and this is done by being proactive and prepared for risks.
To put this into practice, you can:
- Provide clear and unambiguous guidelines that management strives to promote the proactive approach to personal data protection - this means improving processing.
- Make it a matter of course to improve the approach so that it becomes proactive rather than reactive.
- Make clearer responsibilities in the processing of personal data - so that employees are aware of how personal data has been processed and needs to be processed.
Second pillar: Default setting
The second pillar is that data protection should be a standard process and incorporated into your systems. Therefore, it must be part of your PbD.
When data protection must be part of your processes, it also means that it must be a default in your systems - a standard that should not be relaxed. In other words, if it is not already the default, your data protection must be top-notch. This is because you are processing personal data that is invaluable to your customers as well as to your business.
If you look at it in functional terms, you have to:
- Limit and simplify the criteria for data collection.
- Only use the personal data for the specific purpose - and not for purposes other than those for which it was initially collected.
- Remember that only relevant caseworkers should have access to the personal data - remember what is "need to know" and what is "nice to know".
- Keep the retention period in mind when dealing with personal data. It is a violation of the GDPR to hold personal data longer than necessary.
Third pillar: Part of the design
When dealing with personal data, remember privacy and confidentiality principles. This must be integrated into the design of processes and procedures, as it is one of the most important things to remember as a business. Not only does it hurt your business to mishandle personal data and privacy, it also greatly affects the customers whose data you process.
Businesses can make privacy by design mandatory so that privacy by design is not just an add-on to their procedures - it should be second nature. In addition, ensure that risk assessments are carried out to review IT systems and data storage. Finally, consider documenting the decisions made and referring to the PbD so that there is no confusion or conflict.
Fourth pillar: Functioning to the limit
In an organization, you need to ensure that PbD includes a safe user experience. It is important to remember that you should not replace other important functions with personal data security.
This way, you can ensure that employees in your organization have the full functionality of systems and Privacy by Design. When they can use all the features, you can also have the best experience of processing personal data.
So, when you are dealing with personal data, you must remember that the different interests in personal data security can be present at the same time in the same system. So you can easily be interested in processing personal data correctly and properly, while at the same time focusing on the essential business needssyn.
Fifth pillar: We are there every step of the way
When processing data, data protection must be integrated throughout the entire processing time. In other words, it is from the first glance at personal data that data protection comes into effect. In continuation of this, you must also maintain a high level of attention to the correct processing of personal data until you delete the data when it is finished processing.
One element you can implement in personal data security is encryption and anonymization of data. This naturally limits who can read and understand the data. In other words, you keep unauthorized persons away.
In addition, you must also have a secure and thorough deletion of the personal data as soon as you have finished processing it. If it is not deleted correctly, you risk storing the personal data incorrectly - and this results in a GDPR fine.
Sixth pillar: Transparency
An important element of correct processing of personal data is to have transparent and visible processing. This is of concern to external parties, as it ensures that you as a company are actually processing the data properly.
In addition, it supports the credibility of your company, as it becomes clear that you know what you are doing and have your procedures and processes under control.
For example, you can create privacy policies to clarify how personal data is processed and remains confidential. This can be used when collecting consent. In addition, clear and accessible communication forms are a good idea so that customers can get in touch with you when they need to.
Seventh pillar: Putting the customer at the center
Last but not least, always keep the customer and the user at the center of your data processing. You need to ensure a good experience for the user, to ensure good data protection in general. Some examples of putting the user at the center are:
- Integrating Privacy by Design as an integration in your systems. This protects the customer and the personal data linked to them.
- Have clear communication between you and the customer: if there is a change in privacy settings, the customer must be informed. Furthermore, they should be informed of the consequences for their privacy if changes are made to system settings.
- Consent is important, so the customer should be able to see everything they agree to.
- You should always be able to access privacy policies where processing is involved. They should be able to see how you process personal data.
The purpose of PbD is to ensure the implementation of data protection and information security in companies - this should be from the moment the personal data is collected. This ensures that the processing of personal data does not become an insignificant process in a company, but that it is handled and processed with the security it requires.
Caroline is a copywriter here at Moxso beside her education. She is doing her Master's in English and specializes in translation and the psychology of language. Both fields deal with communication between people and how to create a common understanding - these elements are incorporated into the copywriting work she does here at Moxso.