Tips for Implementing Privacy by Design
As builders of software we like to talk about user-centered design. We put ourselves in the mindset of the person using our app, service, or product. Successful user-driven companies bake this process into every part of their software lifecycle. It doesn’t stop at the initial research. Every decision is paired with the question: What about the user?
The same approach can be taken when building with privacy in mind. The notion of Privacy By Design (PbD) does that. Rather than make privacy an afterthought in the development process, it becomes a core tenet of an organization.
In this article we’ll explore privacy by design, its creation, and how it acts as a competitive advantage and prepares your company for future privacy regulations.
What is Privacy by Design?
Privacy by Design is a framework for incorporating privacy into all aspects of your organization. It puts the individual's privacy above all other priorities, and encourages businesses to work with the user's privacy in mind when making decisions about their products. The concept of PbD was created by Dr. Ann Cavoukian, the executive director of the Privacy and Big Data Institute at Ryerson University and the former Information and Privacy Commissioner for Ontario.
It went on to be formalized by a joint team made up of the Information and Privacy Commissioner of Ontario, the Dutch Data Protection Authority, and the Netherlands Organization for Applied Scientific Research in 1995 before being published in its current form in 2009. The European Union then went on to incorporate privacy by design as part of the GDPR.
The Seven Foundational Principles
Privacy by design is made up of seven foundational principles. Many include concepts from the fair information practice principles.
These principles of privacy act as a framework for the organizational measures you should take. They are high level goals that you can aim for as a way to incorporate privacy into the core of your organization. Following these principles can make it easier to interact with protection authorities, ensure privacy is a deep part of your design process, and act as a foundation for implementing privacy guidelines into your business.
Be proactive, not reactive
All systems should anticipate and prevent privacy invasive events before they happen. Organizations shouldn’t wait for risky activities to emerge. Instead, they should work to build processes that prevent privacy risks from happening.
For this to be successful, there needs to be clear commitment from an organization’s leadership that privacy is a core part of the company’s culture.
The goal with proactive principles is to set standards higher than those that are set by global laws and regulations. A proactive company can adjust their output of reporting when new regulations emerge, rather than readjust how they do business.
Practical Advice: Implement a system that can alert you of changes in your data processing activities, such as an automated data flow map. This makes it easy to avoid an incomplete picture of your organization's activities, and makes it much easier to show compliance.
Privacy as the default setting
Systems build with PbD have the privacy of an individual’s data in mind when setting defaults.
If an individual uses your service and makes no effort to explicitly protect their privacy, they should be able to expect that they are protected by default. This principle has been adopted by the GDPR in the form of "data protection by default" and is referred to elsewhere as "privacy by default."
A privacy by default system ensures that the purpose of data collection is always clear and made known to the individual at or before the time of collection. It adheres to data minimization best practices, and presents users with the necessary controls for managing the data that is collected.
Practical Advice: Make all data processing and collection activities that are not core to the function of your service "opt-in" so that individuals are aware when they are providing access.
Privacy embedded into design
In the opening to this article I mentioned that, like user-driven companies, privacy-focused companies incorporate privacy into all parts of their decision-making process. This is because PbD is embedded into the design and architecture of all IT systems and business practices. It isn't an add-on or an afterthought, but instead the result of making it an essential component of a company's offerings.
By embedding privacy into the design of your organization you can turn it into a business advantage. Even more so in industries where your competition is not as privacy conscious. We've seen this in recent years as large tech companies like Apple have increased the visibility of their privacy initiatives.
Embedding privacy into your development processes is easier than it sounds. In cases like the GDPR's data protection impact assessments (DPIA), you will need to make privacy decisions at the beginning when building any high risk feature. By adding review stages and regular audits, embedding privacy directly into the software cycle will become as common as writing tests for your code.
Practical Advice: Incorporate privacy checks and reviews into your software development lifecycle the same way you would incorporate continuous integration, testing, or quality assurance.
Privacy is positive-sum, not zero-sum
Using PbD should result in a win-win scenario for both individuals and organizations, rather than come as a necessary trade-off. As organizations build a culture around privacy, it can help stop unaligned interests and instead act to find better solutions. Privacy should never compete with other interests within an organization, but instead act to reveal solutions that enable privacy.
Practical Advice: Use privacy as a sales advantage, both to internal stakeholders and to your customers.
As mentioned in the embedded system principle, PbD should exist throughout the full lifecycle of the product. From inception, to initial development, and finally to ongoing enhancements and maintenance.
This extends to security. No matter how much focus is placed on protecting the privacy of an individual is, lacking security controls will result in breaches of privacy.
Proper security standards in a privacy by design system assume confidentiality, integrity, and availability of personal information.
Practical Advice: Ensure that access controls, encryption, and a data security framework is in place within your organization. Don't limit measures to software—make sure hardware controls are also in place. Performing SOC or ISO audits can help with this, and requiring them of your third party processors should be a priority. SOC 2 and the ISO 27001 family of frameworks—and its privacy-focused 27701 system—are excellent options.
Visibility and Transparency
Having a visible and transparent approach to privacy puts all of your practices out in the open. Users, stakeholders, and regulators can see that your business and processes are operating the way you claim.
Just as internally you want to be able to verify that trusted information is accurate, transparency allows your business to be accountable, open, and compliant to anyone observing your privacy practices.
Practical Advice: Make your processes known rather than hiding them deep in documentation. If you're putting the user's privacy first, you'll find it easier to plainly explain how their data is used. If you have trouble explaining how data is being used, there's no way your users will understand it, and it could be a red flag to regulators.
Respect for user privacy
At the core of your efforts should be a focus on the user and their privacy. The most effective implementations of Privacy by Design place the user's privacy needs above all else, and design around those interests.
Practical Advice: You can achieve this by putting a focus on the following:
- Consent that happens prior to, or at the time of, data collection.
- Accuracy in your privacy statements and in the integrity of the data you keep.
- Access to an individuals personal data when they request it.
- Compliance with privacy and data security regulation, and with your own promises made to the user.
- Respect for the individuals privacy and data.
Privacy by Design is often criticized for being vague. When it comes to frameworks, it is simple and straightforward. What it lacks in specifics it makes up for in high level advice. Much like Google's long forgotten motto of "don't be evil," privacy by design gives you the guidance to make good choices without explicitly telling you how to go about it. With that in mind, reference these principles—and our practical advice tips—when implementing privacy by design into your organization and software development processes.