Privacy By Design
GDPR So Far
The amnesty period for GDPR (General Data Protection Regulation) is over. Since the EU-regulation went into effect roughly this time last year (May 25, 2018, to be precise), European data protection agencies report that almost:
- 90,000 separate data breach notifications have been received.
- 145,000 complaints and inquiries have been reported by concerned citizens.
- 91 companies have been fined, the largest of which, Google, was fined $57 million for failing to provide enough information to users about its data consent policies and not providing enough control over how their information is used.
Just as a reminder, GDPR was designed to protect the privacy rights of EU individuals in regards to the collecting and sharing of their personal data. It applies to all companies processing or controlling the personal information of EU residents, regardless of where those firms are located. The main tenants of GDPR include: data consent, mandatory data privacy assessments, data breach notifications, stronger user rights, the need for a Data Protection Officer, and privacy by design as a part of the company’s core processes, procedures, and policies.
Meanwhile, in the World
And while GDPR is just for the EU, the privacy movement is gaining traction around the world. In a corporate blog post last month, Microsoft noted that Brazil, China, India, Japan, South Korea, and Thailand are among the nations that have passed new laws, proposed new legislation, or are considering changes to existing laws that will bring their privacy regulations into closer alignment with GDPR.
In the U.S., progress on the issue hasn’t been as swift, but it is gaining momentum. Last year California passed the nation’s strictest privacy law – what some are calling GDPR-lite. And tech leaders like Apple’s Tim Cook have called for a US federal privacy law that would mirror GDPR protection.
The 7 Principles
As privacy moves further into the public consciousness, and more and more countries adopt strict privacy laws, organizations will be stretched to adhere to these new regulations or face stiff penalties. One of the best ways to get ahead of the privacy trend is privacy-by-design. This development framework makes privacy the driving element – not just some feature that has tacked on to the solution, but rather a core component that has been proactively designed and embedded into the solution from the very beginning.
So what does this look like in terms of IT, software, and system development? There are seven foundational principles of privacy by design:
- Proactive not Reactive – IT solutions and systems should anticipate and prevent potential privacy issues before they happen.
- Privacy as the Default – Solutions should be designed to deliver the maximum degree of privacy automatically as a default setting.
- Full Functionality – Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner.
- End-to-End Security – Privacy is protected continuously throughout the lifecycle of the data – including data capture, storage, and destruction at the end of the process.
- Visibility and Transparency – The privacy and security provisions in place should be visible and transparent to all stakeholders and subject to third-party review.
- Privacy Embedded into Design – Privacy should be embedded into the design and architecture of any given solution – not added on after the fact.
- Respect for User Privacy – Architects and designers should always keep the interests of the user top of mind.
There are several steps that organizations can take so they’re ready to meet the requirements of new international privacy regulations and those that are poised arise in the United States. Privacy by design is one of the most critical ones. If your organization is looking to comply with new regulations or building IT solutions and systems with an eye to the future in terms of privacy, let’s connect.
Let’s build something beautiful together.
UI/UX Designer at Dev IQ, Men-at-Work fan, and 3D printing guru.