{"id":1479,"date":"2018-08-31T11:52:29","date_gmt":"2018-08-31T09:52:29","guid":{"rendered":"https:\/\/staging.techgdpr.com\/?p=1479"},"modified":"2024-02-22T18:09:43","modified_gmt":"2024-02-22T17:09:43","slug":"what-the-gdprs-privacy-by-design-really-means-for-your-business","status":"publish","type":"post","link":"https:\/\/techgdpr.com\/blog\/what-the-gdprs-privacy-by-design-really-means-for-your-business\/","title":{"rendered":"What the GDPR’s ‘Privacy By Design’ Really Means for Your Business"},"content":{"rendered":"\n

How, exactly, can privacy be designed? <\/em>Companies concerned about Europe’s <\/span>General Data Protection Regulation<\/span><\/a> (GDPR) may or may not have already considered the curious concept of “privacy by design and privacy by default” \u2014 but consider it, they must. While it’s hardly the most charming regulatory text ever written, it’s implications are vast, and understanding it properly saves startups considerable time and money (and headaches) if they begin implementing a few key privacy procedures while they are still at earlier stages of product and procedural development. <\/span>The legal nuts and bolts can be found in <\/span>Article 25<\/span><\/a> of the GDPR, with this excerpt below clarifying the main requirements: <\/span><\/p>\n\n\n\n

\u201cIn order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimizing the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features.\u201d (<\/span>Recital 78<\/span><\/a>)<\/span><\/em><\/p>\n\n\n\n

Simply put, the GDPR <\/span>expects <\/span><\/a>companies and other organizations to implement technical and organizational measures at their earliest stages of design and at the earliest stages of their operations.  They need to do this in a way that safeguards privacy and data protection principles right from the start (“data protection by design”). Such requirements are also, quite frankly, simple due diligence in the world of reliable data management. So, how does one actually “design” data protection for data subjects?<\/span><\/p>\n\n\n\n

What is Privacy by Design?<\/b><\/h4>\n\n\n\n

Privacy by design is not a new concept. It is the <\/span>philosophy<\/span> proposed by <\/span>Dr. Ann Cavoukian<\/span><\/a>, the Information and Privacy Commissioner of Ontario in the 1990s. Ann Cavoukian is widely recognized as the primary creator of the privacy by design concept. She defines it as an <\/span>approach<\/span><\/a> to technology design that embeds privacy-enhancing measures into technology at the point of design and production, and sells to technology to consumers with strong default privacy settings. The foundational principles of \u201cPrivacy by Design\u201d as suggested by Ann Cavoukian are:<\/span><\/p>\n\n\n\n