In just 10 months from now, companies headquartered in an EU country and all organizations that process data on EU residents will have to comply with the requirements of the GDPR – the EU General Data Protection Regulation. GDPR approved by the EU Parliament on 14th April 2016, is designed to harmonize data privacy laws across Europe, to protect and empower all EU citizens’ data privacy and to reshape the way organizations across the region approach data privacy.
GDPR, which will take effect on May 25th, 2018, has strengthened data protection legislation and introduced tougher enforcement measures to improve trust in the emerging digital economy. One of these measures is the inclusion of the concept of “privacy by design and by default” as the legal requirement.
GDPR stresses on privacy by design and default as being fundamental to achieving compliance with European data protection law, with the regulation going so far as to say that “in order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimizing the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features” (Recital 78).
In short, what this means is that privacy by design, which was formerly considered to be a best practice will now be a mandate – and one that will need to be operationally demonstrable.
This brings us to the question.
What exactly is privacy by design?
Privacy by design is an approach to embedding protection seamlessly across every strand of design and deployment of a product or service.
Privacy by design is not a new concept in data protection. It is the philosophy proposed by Mrs. Ann Cavoukian, the Information and Privacy Commissioner of Ontario in the 90’s year of last century. Cavoukian is widely-recognized as the primary creator of the privacy by design concept. She defines it as an approach to technology design that embeds privacy-enhancing measures into technology at the point of design and production, and sells to consumers, technology with strong default privacy settings. The foundational principles of “Privacy By design” as suggested by Ann Cavoukian are:
- Privacy by design is Proactive, not Reactive; it is Preventative, not Remedial. Privacy by design anticipates and protects privacy against negative and invasive effects of new products and technologies before they happen.
- Privacy by design ensures privacy as the default, which means that personal data are automatically protected in any given IT system. If an individual does nothing, their privacy still remains intact. No action is required on the part of the individual to protect their privacy − it is built into the system, by default.
- Privacy by design means that privacy is embedded into the design and the architecture of the IT system. It is not bolted on as an add-on, after the fact. The result is that privacy becomes an essential component of the core functionality being delivered.
- Privacy by design permits full functionality. When embedding privacy into a given technology, process, or system, it should be done in such a way that full functionality is not impaired, and to the greatest extent possible, that all requirements are optimized.
- Privacy by design extends securely throughout the entire lifecycle of the data involved. Strong security measures are essential to privacy, from start to finish. Privacy must be continuously protected across the entire domain and throughout the life-cycle of the data in question. There should be no gaps in either protection or accountability. The “Security” principle has special relevance here because, at its essence, without strong security, there can be no privacy.
- Privacy by design seeks to assure visibility and transparency, as they are essential to establishing accountability and trust.
- Privacy by design is consciously designed around the interests and needs of individual users, who have the greatest vested interest in the management of their own personal data. The architects should keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric!
Why do technologies need privacy and security by design?
The Global Internet of Things (IoT) market is growing at a phenomenal rate. The market is projected to register compounded annual growth rate (CAGR) of 13.2% during the forecast period 2016-2023 globally. While this growth is exciting, security and privacy remain the top concerns.
With the growth of the internet, trust is becoming an increasingly important factor in the digital ecosystem. The extensive collection, processing, and analysis of personal information has given rise to serious privacy concerns, especially relating to wide-scale electronic surveillance, profiling, and disclosure of private data. Privacy has become a critical enabler of trust and freedom in our present-day information society. It is now widely recognized that unless a system is developed from “ground up” with protection at its core, failure will emerge through unexpected weaknesses. So embedding privacy partnered with security directly into the design is a crucial step for privacy protection.
According to a study conducted by Forrester, “2017 Predictions: Dynamics That Will Shape The Future In The Age Of The Customer “Trust is now a business currency. Your customers are more aware of, wary of, and frustrated with security and privacy risk, and you will increasingly gain or lose affinity based on how much they trust your company.” Therefore businesses should “bake in” the appropriate privacy and data protection controls as a project begins. Privacy and security should not be considered only as a checkbox exercise. As Cavoukian says, privacy “cannot be assured solely by compliance with regulatory frameworks; rather, assurance must ideally become an organization’s default mode of operation.” So true — and even more important today. We Least Authoritarians agree with Ann Cavoukian.
Privacy and security by design principles are at the heart of Least Authority.
We firmly believe in security by design. We do not believe in security by policy. Privacy and security are integral to our organizational priorities, project objectives, and design processes and is incorporated into our products by default. We create software designs that are inspired by end-to-end security and the ‘Principle of Least Authority,’ an important design consideration which enhances the protection of data and functionality from faults (fault-tolerance) and malicious behavior (computer security). Our S4 product – an Amazon S3-based backend for Tahoe- LAFS, provides what is called the ‘provider-independent security’, which means that under no circumstances can Least Authority circumvent the encryption and we never look at your communication even if we want to. If you have any questions or comments about our secure products and services please send them our way at firstname.lastname@example.org.