By Eliott Mourier, Ph.D, Data Privacy Senior Consultant and GDPR Offer Manager of Micropole France
If you have initiated a GDPR compliance process within your organization, you must have wondered about a concept that permeates the entire new regulation: "Privacy by Design and by Default".
Recital #78 of the regulation, which refers instead to "data protection by design and by default," defines the concept as follows:
"When developing, designing, selecting and using applications, services and products that rely on the processing of personal data or process personal data to perform their functions, product manufacturers, service providers and application producers to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to ensure that data controllers and sub-processors are able to fulfil their data protection obligations. The principles of data protection by design and data protection by default should also be taken into account in public procurement."
It is therefore important for organizations of all kinds to ensure that the principles and requirements of the regulation are taken into account from the very beginning of their projects, and no longer on the eve of the public launch or production, as was too often the case until now. Privacy by Design is thus fully in line with the paradigmatic change brought about by the GDPR, which shifts the protection of personal data from a declarative logic to a logic of continuous accountability.
However, as is too often the case with the GDPR, the text does not provide us with more precise and operational elements regarding the expected implementation of this principle as of next May. To do this, we must look at the genealogy of the concept of "Privacy by Design", cross the Atlantic and delve into the work of Ann Cavoukian, Data Protection Officer for the State of Ontario in Canada. In a 2012 reference document entitled "Operationalizing Privacy by Design: A guide to Implementing Strong Privacy Practices", the author summarizes 20 years of work on the subject in 7 fundamental principles, which help us to see things more clearly:
- Proactivity rather than reactivity, prevention rather than remediation
- Privacy protection configured by default
- Privacy embedded in project design
- Consider privacy with a "win-win" approach
- End-to-end security
- Visibility and transparency
- Respect for users, user-centered approach
These are common sense principles, but they need to be complemented with more concrete indications to be able to materialize in the company as expected by the GDPR. Thus, the right method for conducting customer audits is to approach Privacy by Design and by Default through a reading grid based on eleven operational requirements:
- Legality, fairness and transparency of processing
- Limitation of the purposes of the processing
- Data minimization
- Data accuracy
- Limitation of data retention
- Data integrity and confidentiality
- Special categories of personal data (so-called "sensitive" data)
- Data transfers outside the EEA
- Subcontracting and partnerships
- Taking into account the rights of individuals (right of access, rectification, deletion, opposition, portability, etc.)
- Accountability & Traceability
The integration of these principles & requirements in the genesis of any project, any technical solution (especially in the modeling of databases), any product or any business process, requires a significant effort of awareness and training of the actors, as well as the implementation of a governance and dedicated processes. In the midst of the nebulous requirements defined by the GDPR, there is no doubt that the ability of companies to demonstrate the formalized integration of Privacy by Design and by Default in the philosophy and global mechanics of the company will constitute, in the eyes of the regulator, a decisive element in its assessment of your level of compliance. For all the (too many) organizations that have so far opted for the ostrich policy, there is now an urgent need to get to grips with the subject.
