We’re all going to have to change how we think and act on Data Privacy

Since the introduction of the General Data Protection Regulation (GDPR) on May 25th, 2016 a lot has been written about privacy and protection. I would like to contribute with an addition on a topic that I value greatly, namely implementing Privacy by Design in our organization.

Privacy is a fundamental right and thus has been incorporated into every human right law article. So, isn’t it our moral and legal duty of incorporating Privacy by Design into our organization, making sure that we adhere to those privacy principles in every way we can.

Communication and information technologies are booming, for example remote devices connected to the Internet resulting in the emergence of new challenges with regard to privacy protection. Embedding privacy in every aspect of our organization is absolutely crucial, from the very core of our organization – namely the design phase – until the end, the process systems. This is the only way in which we are able to ensure that our systems and processes will be privacy proof in the future, at least for an adaptive while.

Data Protection by Design are not only mere technical solutions, but should be incorporated into the organizational procedures and business models as well. The key aspect to Privacy by Design will be bridging the gap between the legal framework and the available technological implementation measures by means of providing an inventory of existing approaches, privacy design strategies, and technical building blocks of various degrees of maturity, from research and development.

Starting from the privacy principles of the GDPR legislation, Article 25 elaborates on the implementation of Privacy by Design.

When looking at Article 25 of the GDPR it says that the controller shall implement appropriate technical and organizational measures in order to ensure that, by default , only personal data which are necessary for each specific purpose of processing, are processed.

It is commonly known that the GDPR articles provide you with direction and theories on how to implement specific privacy elements. However, it doesn’t specify how it should be done, imposing a framework. That is the way the GDPR was constituted, it gives you guidance and direction, it leaves the implementation features to the controllers and processors among us, bearing always in mind the rights of the data subjects.

So, start by raising awareness to the privacy culture in your organization. As a Data Protection Officer in your organization, it would be your role to implement that particular privacy culture . However, this is not the sole characteristic of the Data Protection Officer. It requires commitment throughout the organization: starting with the board, senior leadership, and the CEO. It is important and crucial to increase the privacy visibility from the top but also to support the board into achieving the necessary privacy maturity within the organization, embedding privacy into corporate strategy and operation planning .

Delivering regular feedback on privacy projects and initiatives, starting from the top, is an absolute must to get the correct insights and awareness. Privacy should and must be leveraged as a strategic company asset. Companies that turn their mission and vision into a ‘privacy pillar’ can bring this forward as a market advantage.

Article 25 of the GDPR also states that reasonable measures should be put in place to achieve Privacy by Design. Some of these measures serve as an overview of all the necessary policies and principle guidelines of the privacy. People appreciate policies and principles, it gives them a sense of direction and structure in terms of privacy. A sound example of those Privacy by Design principles is published by the Information Commissioner of Ontario, Canada, the Dutch Data Protection Authority and the Netherlands Organization for Applied Scientific Research. There is also the ISO 29100 Privacy Framework that gives substantial insights into Privacy by Design principles.

Another key component to achieve Privacy by Design is staff training. Training must be mandatory in order to guarantee the responsibilities of safeguarding personal information . Different training tracks can be provided throughout the organization. A more common, all-round training for every employee, a brochure, a new hire video, but also the ‘higher risk privacy training’ coping with more sensitive data . 

Implement Privacy by Design into the project design lifecycle . All of our applications and processes that use personal or sensitive information should be cross-checked during the design phase. The GDPR imposes a Data Protection Privacy Assessment (Article 35) for each newly defined project where personal data is involved. Data minimization is sure an aspect to look into as well. With personal data we should be aware of the fact that we only process the amount of information that is needed to achieve a specific goal. Some examples of such a Privacy by Design could be:

  • A credit check – not everybody in the organization needs to view the complete financial history of somebody. Based on certain criteria, a simple yes or no answer could be enough to the question of credit worthiness.
  • As a result of a health check-up the amount due of an insurance policy could go up or down, but not everybody should be able or would be entitled to the health check-up findings. A mere indication back (be aware of profiling!) should be sufficient in most cases.
  • A family with a yearly income beneath 30.000 euro receives a free roll of garbage bags from the city. Does the city clerk have to know the exact amount that the family makes? No of course not, a mere yes or no will do the trick again.
  • Privacy by Design in Big Data and Analytics – a tricky one, putting together anonymized dataset – could bring the possibility of re-identification of an individual. Simply pre-tagging and identifying privacy information could be the solution.

So to finalize, Privacy by Design is not only a technique to indulge in our Information Technology capabilities. It should be covered throughout the complete organization, making everybody aware of the fact that privacy is important and that it should be governed at every stage in the decisions we take every day.

Chris Van Daele

* Image courtesy of the Information and privacy commissioner, Ontario, Canada