Netwrix Enterprise Auditor (formerly StealthAUDIT) 11.6 has been released LEARN MORE

What is Privacy by Design?

Blog >What is Privacy by Design?
| Farrah Gamboa | | Leave a Comment

In this era of big data, it is in an organization’s best interest to seek to safeguard their critical data assets, especially sensitive data, to the best of their ability. However, data breaches continue to occur, and according to certain studies, are happening every minute. And now with more consumer data being collected than ever, these breaches pose a real problem not only to an organization’s operations but to their credibility. But imagine if data security, and possibly more importantly data privacy, were not simply an afterthought, and were considered in every aspect of every operation. Could these breaches have been prevented? 

Privacy by Design (PbD) is a methodology that dates back to the 1990s but has become a more prevalent topic as it pertains to recent data privacy regulations such as the EU General Data Protection Regulation (GDPR).  In principle, it aims to push organizations to be proactive in their decisions and make privacy a priority, which is inarguably integral in the ever-evolving data privacy regulatory climate. Let’s take a deeper dive into what Privacy by Design is and it’s 7 foundational principles. 

What is Privacy by Design

Privacy by design is the practice of building privacy into the earliest stages of the design process of any new technology, system, or business process, with the goal of establishing the strongest protection of privacy. The mastermind of this concept is Ann Cavoukian, the former Canadian Information and Privacy Commissioner who was responsible for carving out many of the foundational principles on which this practice is based on. 

Organizations have everything to gain from ensuring privacy and security from the onset of any data collection exercise to the completion, whether that be because they are able to maintain compliance, avoid litigation, or gain the confidence of their customers. The PbD methodology helps to ensure that privacy is embedded into every facet of an organization’s data collection and processing activities by providing a set of principles to adhere to.

The 7 Foundational Principles

Proactive not Reactive

This principle can probably be considered the foundation of the PbD framework aiming to drive privacy considerations at the onset of a project versus after a data breach or incident. This goes beyond considering privacy on a project by project basis but instead seeks to engrain privacy into the culture of an organization.

Privacy as the default setting

This principle is straightforward, but possibly the most difficult to implement. Ultimately, any system or business process should be designed to protect an individual’s data by default, without requiring any action to be taken on behalf of the individual. This requires organizations to take measures such as minimizing the collection of PII (personally identifiable information), having a clear purpose for collecting the data that is being collected, and providing opt-in capabilities for data subjects. If for any reason the need for personal information is not clear, the default setting should be the most “privacy-protective”

Embed privacy into design

Privacy measures should not be looked at as an “add-on” to a business process or IT system, but instead should be embedded into the design as an essential component of the functionality being delivered. Organizations should adopt a systematic approach to embedding privacy into the design by leveraging accepted frameworks and standards and proactively carrying out privacy impact and risk assessments in order to minimize any impact or risk to privacy.

Retain full functionality – Positive-Sum not Zero-Sum

This principle can be summarized by leading with a “win-win” approach, avoiding making unnecessary trade-offs to meet objectives. When embedding privacy into each step of any project or initiative, it should be done in such a way that functionality is not impaired and all requirements are met, leading to beneficial outcomes for all parties.

End-to-end security

The goal of PbD is to ensure a “cradle to grave” approach, to have secure lifecycle management of information from end to end. What this ultimately means is that privacy should be protected through its entire lifecycle, with no gaps in protection or accountability. This is where you see data security and data privacy converge – without strong security, you cannot truly have data privacy.

Maintain visibility and transparency

This principle helps to clarify that privacy is not just there for privacy’s sake, and is there to build consumer trust by deploying open and honest communications. Visibility and transparency are integral to establishing accountability and trust for both users and providers.

Respect user privacy

Above all else, the interests of the data subjects should be upheld to the utmost degree, and the individuals themselves should have the power to determine how their data is being used. Organizations should leverage strong privacy defaults while also providing data subjects the ability to grant or revoke consent, empowering them to play an active role in the management of their data. 

Privacy by Design in Practice

How an organization goes about implementing the Privacy by Design methodology will ultimately rely on the unique objectives of the organization, specifically as it pertains to the collection and processing of personal data. The key to success is taking an organizational approach in developing a set of practical and actionable guidelines that take into consideration the types of processing activities and the risks that have been identified through performed risk assessments. Privacy should be considered at every stage of the development lifecycle. This includes the following phases and key measures

  • During the initial design stage – Conduct regular risk assessments to assess risks related to the processing of personal data in order to address these risks at the onset
  • Throughout the development lifecycle – Ensure that only the necessary amount of personal data is being collected and that this is being done in a secure fashion, while also enabling the regular cleanup of this data where possible
  • During user engagement – Provide adequate notification and granular opt-in capabilities for end-users
  • After user engagement has ended/End of Life – The appropriate procedures should be established to remove personal data once it’s no longer required or based on user request.

Learn about how Stealthbits can help to maintain data privacy through data security.

Featured Asset

Leave a Reply

Your email address will not be published. Required fields are marked *




© 2022 Stealthbits Technologies, Inc.

Start a Free Stealthbits Trial!

No risk. No obligation.