If you make privacy a part of products and services from the very beginning, you will avoid many problems. But in daily practice, it is difficult to get everything right.
The General Data Protection Regulation (AVG) emphatically puts the spotlight on privacy by design and privacy by default. After all, you can encourage careful handling of personal data by incorporating privacy already during the design of products and services. For example, by technically regulating that data are not kept longer than necessary for the purpose of processing. Privacy by default is about making the default settings privacy friendly. This means, among other things, that data minimization must be put in order, with technical and organizational measures.
In practice, we see that privacy professionals are often involved in the design process late in the process. Sometimes even after the evaluation of a project, it becomes clear that a design is not privacy-proof. Or an incident occurs, and then it suddenly turns out that the organization is processing more personal data than is allowed.
The good news: there are growing insights about successful approaches to privacy by design and privacy by default. The four most important ones are listed below.
1. Focus on privacy as a business enabler.
Good choices in the design and development phases ensure a better end result. You will then arrive at a solution that works well while taking into account the requirements of the AVG as well as the privacy expectations of your target groups. Carrying out Data Protection Impact Assessments (DPIAs), choosing privacy design strategies[1], reusable solutions and deploying privacy enhancing technologies (PETs) help with this. Careful selection of vendors is also a success factor. For example, check how vendors ensure AVG compliance, and align their own systems with your organization's guidelines.
2. Pay attention to knowledge, attitude and behavior in the workplace.
The protection of personal data during the development of new products and services is much more than a technical matter. The human factor is at least as important. You want colleagues to understand why data protection is important, and what it means for day-to-day work.
Involving colleagues early on in privacy issues builds support for the approach. With careful communication about the legal requirements, you also give employees the tools to handle personal data correctly.
3. See the connection between the various AVG standards
There is quite a bit of confusion about the relationship between Article 25[2] (on privacy by design and privacy by default) and Article 32 (on the security of processing personal data). Article 25 focuses on integrating data protection into a design. Article 32 directs technical and organizational measures in the use phase. Think encryption and recovery procedures after incidents.
In order to demonstrably comply (Article 5(2)) with AVG principles such as legality, purpose limitation, data minimization and confidentiality, attention needs to be paid to the various ways of ensuring privacy. In the design process, but also in the practical implementation of up-to-date security measures.
4. Engage in risk management.
Data protection requires continuous awareness of the potential impact of new developments on AVG compliance. What risks arise when a design is changed? What measures are then appropriate? How are privacy standards translated into standard operating procedures for innovation?
The success of risk management hinges on a culture in which the importance and necessity of privacy are taken seriously. Personal data protection is then a natural focus at all levels of the organization. Continuous assurance is crucial for demonstrating compliance.
At L2P, we believe that privacy adds value to any organization. Privacy is not an onerous obligation, or a to do that you tick off after an incident. If you really make privacy a part of products and services, you will notice the benefits in many areas. Design processes are more efficient, which contributes to the stability of business processes and systems. This in turn strengthens stakeholder confidence in your methods and organization. This is how you actually fulfill the promise of privacy as a business enabler.
[1] Hoepman, J. H. (2018). Privacy design strategies (The Blue Book). Available online at: https://www.cs.ru.nl/~jhh/publ...
[2] EDPB. (2020). Guidelines 4/2019on Article 25 Data Protection by Design and by Default. Available online at: https://edpb.europa.eu/sites/d... edpb_guidelines_201904_dataprotection_by_design_and_by_default_v2.0_en.pdf.
