Data Privacy Newsletter: Privacy By Design – January 2023
Privacy means the right of an individual to keep their personal life or personal information private or known only to a small group of people. The meaning of Privacy is perceived differently at different levels such as individual, societal, and organizational levels.
What is Privacy by Design?
The concept of Privacy by Design was introduced with a view that the future of privacy practices cannot be guaranteed solely by way of enacting legal frameworks and statutory compliances, but they need to be made a part of every organisation’s practice by default.
Privacy by Design focuses on the idea of embedding privacy controls within the existing and newly established frameworks. Privacy by Design is based on a preventive and proactive approach rather than a reactive one. The term “Privacy by Design” means “data protection through technology design.” Data protection in data processing procedures is best adhered to when it is already integrated into the technology when created.
Globally, countries and organisations have passed resolutions which encourage adopting privacy by design as a principle and as a mandatory practice for every organisation. Privacy by Design is a generally accepted privacy principle and has been incorporated into privacy legislations such as the General Data Protection Regulation (“GDPR”) in the European Union, Children’s Online Privacy Protection Act (“COPPA”) and Health Insurance Portability and Accountability Act (the “HIPPA”) in the United States, Data Protection Act, 2018 (“DPA”) in the United Kingdom.
GDPR and Privacy by Design and Default
Privacy by Design is an approach that encourages you to consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle. The GDPR requires organisations processing personal data to implement appropriate measures such as encryption, pseudonymisation, and anonymisation of data at all times. These measures are designed to integrate data-protection principles into processing activities in order to protect the rights of individuals.
Implementing Privacy by Design
- Announce Clear, User-Friendly Privacy And Data Sharing Policies: A website must inform the visitor about personal data that is being collected from the visitor and they should be given a choice to opt out of that collection.
- Avoid Pre-Ticking Checkboxes: Checkboxes are one of the best ways of obtaining consent from a visitor. The best practice would be to leave these checkboxes unchecked by default and notify the visitor to tick the checkbox.
- Data Minimization: The least amount of data should be collected by default as this can help minimize liability and reduce the consequence in case there is a data breach.
- Confidentiality: Organisations must encrypt data and restrict access to such data and only make confidential data available on a need-to-know basis.
- Access Controls: Organisations can implement mechanisms such as authentication and access control for every user to prevent unauthorized activity on the systems.
- Anonyimsations And Pseudonymisation: Organisations can implement techniques such as anonymisation and pseudonymization which help protect the personal data of the Individual and reduce the risk of exposure for the individual.
- Individual Consent: The privacy framework should be made user-centric, should offer options to explicitly obtain user consent and have clear privacy policies.
- Privacy Control With Users: It is important to ensure that users have adequate control over the data that they share.
- Demonstrate Privacy Compliance: Organisations with a robust privacy framework can demonstrate privacy compliance and meet regulatory requirements.
The practice of implementing Privacy by Design at the beginning of any activity and integrating it into the systems, processes and practices is recognised as a best practice for all the organisations that engage in data collection and processing. The implementation of Privacy by Design will satisfy the principles of data protection and contribute to the protection of individuals’ rights and freedom.