Whenever you read or hear information about the GDPR, you will most likely come across the terms Privacy by Design, and Privacy by Default. They are set out in article 25 of the regulation and they are a way of ensuring data protection becomes a consideration of future systems and procedures and that the protection that is inherent in new software or methodologies is proportionate and workable whilst offering the data subject (the person about whom the data is held) the best level of protection. These protections include controlling access to the data and deletion of the data once it is no longer required.
Privacy by Design
This introduces a new discipline in system design. For many years businesses relied upon traditional securities to ensure that data was kept safe – these measures were things like firewalls on the network, user ID and password protection on computers etc. All these measures are external to the design of the system.
Now we must place privacy as a key area alongside functionality. This will be a consideration very early in the design cycle. If the new process is to use personal data then a Privacy Impact Analysis (PIA) will need to be conducted so that proportional and effective protection can be designed into the system. Such protection may be to encrypt the data before storing it or designing levels of authority so that only required fields are shown to users of a system and not everything.
Privacy by Default
Privacy by Default is a much simpler concept – and a very powerful principle in data protection. You may have read books or seen films where there is an element of secrecy and government agents, files with ‘TOP SECRET’ stamped on them in forbidding red ink. Very often we hear the phrase “it’s on a need to know basis” in the dialogue.
It is the principle of ‘need to know’ that is the basis for Privacy by Default. For example, a new employee starts work at a firm of accountants. A request is made to the IT department to create a new user logon for the employee. The Privacy by Default principle of the GDPR dictates that in creating the user, there is no default ability to access any personal data. Access to personal data is an active decision made on a basis of providing the minimum level of access required to undertake the responsibilities of the job – a need to know basis.
Another example of Privacy by Default. A consumer signs up to a new social media platform, they are required to give personal information such as date of birth, gender, location etc. Whilst there may be the facilities on the platform for the user to share this information, the default settings for this information should be to keep it private.