What is Privacy by Design
Privacy by Design (“PbD”) is a concept originally developed in the 90’s by Ann Cavoukian, the former Information and Privacy Commissioner of Ontario. It was developed to address the privacy risks of new information and communication technologies. The concept achieved international acceptance in 2010 when the International Conference of Data Protection and Privacy Commissioners (currently known as the Global Privacy Assembly) recognised it as international standard.
The concept has also found its way into legislation, as the EU’s General Data Protection Regulation (“GDPR”) now requires organisations - even before the collection of any personal data - to implement ‘appropriate technical and organisational measures’ to ensure that their data processing activities will meet the requirements of the GDPR. In the GDPR, the concept is called Data Protection by Design and differs from the original Privacy by Design concept.
The original Privacy by Design concept takes the view that privacy cannot be assured solely by compliance with legal and regulatory frameworks. Legislation, such as the GDPR tends to lag behind technology creating uncertainty, especially when developing new technologies to process personal data.
Rather than being a compliance framework, Privacy by Design can be seen as a(n) high level approach to achieve two main objectives - ensuring privacy and enabling personal control over one’s information - objectives which can be accomplished by practicing the 7 foundational principles of Privacy by Design.
Privacy by Design and GDPR’s Data Protection by Design can be criticised for being too “vague” and “high level” leaving too many open questions on how to apply them in practice. Applying the concept into systems engineering requires in-depth knowledge on privacy laws before obligations can be turned into systems requirements.
We at PrivacyDesigner have been advocating Privacy by Design since founding our company. In PrivacyDesigner tool, different privacy law obligations are presented to the user as actionable ‘controls’ that must be implemented. This leaves a perfect audit on how privacy law requirements were implemented into different products and services - in case you need to demonstrate compliance to data protection supervisory authorities.