After the enforcement of the GDPR, organisations had to make their choice on how to comply with the EU privacy regulation: using the method of privacy by design or privacy by default. For some organisations, one or both of these concepts were new, but these are now legal obligations for all those handling personal data. The GDPR emphasises that privacy by design requires organisations to consider privacy compliance in the initial designing process upfront in everything that the organisation does in regards to their handling of personal data. Meanwhile privacy by default means that organisations should be only gathering personal data that is required. But which one these methods fit your organisation the best, and how can you make sure you benefit from compliance?
Data controllers of all sectors that manage personal data are required to implement adequate technical and organisational safeguards to ensure the protection of personal data against what could be deemed as an unlawful processing. With this responsibility, it’s important that data controllers put data privacy focused considerations in every processing activity they are considering,even before carrying it out. By embedding a data privacy centric thought process, the chances of potential harmful personal data processing could be further avoided. But before we look into how this thought process can look like, we first look into what the GDPR says about the two factors and how it can be distinguished.
Privacy by design according to the GDPR
Privacy by design is a data privacy/data protection centric approach that organisations should take upon the initial or design stages of an organisation’s certain methods. This means that data privacy and data security is embedded throughout the lifecycle of an organisation’s processings, products, services, offers, and applications. Some examples of where your organisation might consider to go with privacy by design:
• Your organisation is developing a new IT system that handles personal customer data on a large scale
• Your organisation is updating its policies or business strategies
• Your organisation decided to use personal data for new purposes, that have yet not been carried out by the organisation
• Your organisation is introducing new data sharing initiatives
If your organisation decides to embed privacy by design, a privacy strategy will be very helpful in identifying and determining possible risks, and provide insight into business decisions. Assessing cases like the above examples upfront could help data controllers to not only understand what steps and mitigating measures are necessary, but also provide guidance and precedents for future projects. While privacy by design emphasises on the importance of considering data privacy in initial stages of design, privacy by default lays out further practical approaches of doing so.
Privacy by default according to the GDPR
Privacy by default is when (and not limited to) a system, process, or service includes methods for data subjects to choose just how much personal data they are willing to share. This also means that the default setting of a certain process should be the choice that is most “data privacy friendly”. This connects with the GDPR’s fundamental values of purpose limitation and data minimisation. In these cases organisations should collect and process only the most necessary personal data, for a specific purpose. The purpose should always be clearly started when an organisation requires individuals to provide their personal data, explaining, in an easy-to-understand manner, why and how personal data data will be used and processed. Some examples of where your organisation might consider to go with privacy by default:
• Your organisation want to ensure that the default preference choice of a certain service is one that does not require further personal data
• Your organisation is adopting measures that make sure no additional data is used, unless the data subject agrees to it
• Your organisation want to make sure it provides data subjects the ability to exercise their rights and that a data subject’s personal data is not publicly made accessible (unless they have given consent)
To understand what the two factors are and how it can be differentiated, Article 25 GDPR provides further detail into the two.
What can be seen is that both privacy by design and privacy by default go hand in hand in ensuring that data subject’s have more control over their personal data - the key objective of the GDPR. Ultimately, both privacy by default and privacy design urges organisations to offer further transparency to their data subjects in regard to their handling of personal information.
Critically considering data privacy and security in advance offers data controllers increasing efficiency in their work. Identifying what data in particular is needed, knowing how that data could be obtained fairly, determining just how long that the personal data should be stored, and even as far as to finding out what data security initiatives should be taken could mean further reducing the chances of finding problems in the future. Making changes in the later stage (after the implementation and the gathering of personal data) may be technologically difficult, time consuming, or even costly to change.
Besides obliging with the regulation, compliant organisations will be able to enjoy many other benefits from a data privacy centric culture as well.
Further benefits of compliance through privacy by design or privacy by default
As transparency and GDPR compliance continues to be a key selling point for organisations, an organisation should determine just how transparent it would like to be with their data subjects in regard to their data processing activities. With the rise of a demand in this particular transparency, the obligations to the GDPR can easily be seen as an opportunity rather than an obstacle.
It can also help with identifying risks and opportunities beforehand through conducting a Data Privacy Impact Assessment (DPIA). Furthermore, DPIAs can also help organisations in further adapting their privacy by default and privacy by design considerations. By taking the time to successfully identify what is needed, how it can be taken, and just as importantly, making sure your audience is well aware of these decisions, can come a long way in an organisation’s compliance efforts and the efficiency to do so.
An obligation, and an opportunity
Organisations handling personal data are obligated to take the appropriate steps in safeguarding said data. However, adopting an approach of privacy by default or privacy by design, or both, can mean more than just fulfilling an obligation. For an organisation that ensures compliance through privacy by design for instance, having data privacy as a priority embedded within every part of company can mean better business decisions through identifying risks ahead and mitigating them before they become a problem. Meanwhile, organisations that take the privacy by default approach can save costs due to a storing a lower amount of data, for instance a study shows that by the end of 2020 an estimated $3.3 trillion will be spent by organisations just to manage existing data, as well as, decrease the chance of suffering a data breach, and minimise the amount of data collected from individuals. Ultimately, the two privacy approaches provide an opportunity to further improve your organisation’s stance in transparency, reliability, and overall efficiency.
Data privacy is further becoming a demand.
Check out our GDPR Compliance is Becoming a Key Point for Brands blogpost to read more about this growing opportunity!
Difficulties in DPIAs?
Check out our How to Overcome the Challenges of Conducting a DPIA blog post
Want to know more about what it takes to be GDPR compliant?
Our privacy experts have summarised and written this process into 7 walk-through steps. Get the Ultimate GDPR Guide for free, today!