7 Principles for Privacy by Design – Boost your Data Protection Compliance

Privacy by Design: these are the seven principles that will boost your data protection compliance regardless of where you do business on Earth

Privacy laws have been making more and more headlines over the last years and this is a trend set to continue as digitalization becomes a sweeping trend in almost every sector of the economy. An equally strong driving force that will keep data protection high on companies’ compliance efforts and regulatory watch list is the increasing awareness of data subjects, i.e. of common people like you and me, about their rights under data protection regulations around the world.

Of course, as privacy becomes a global trend, the number of laws aiming to codify rights and obligations relevant to personal data keeps growing. EU’s GDPR set the trend about a year ago, followed by the Indian Data Protection Bill (IDPB) will is expected to bring India’s data protection regime on the same wavelength as Europe. California, the US state with the biggest economy, voted for a new data protection regime, the CCPA, which aspires to grant Californian consumers comparable rights on their personal data as the ones Europeans enjoy. Last but not least, China recently announced that it has started working on its first law purely focusing on data protection ever, the Personal Information Protection Law (PIPL). Add to these frontrunners the tens of national jurisdictions that are updating their existing (e.g. Japan) or introducing data protection legislation (e.g. Thailand) and you end up with a regulatory landscape that is no piece of cake for organizations doing business in multiple regions of the world.

While the only safe and sound way to achieve credible privacy standards are compliance programs looking into the specific requirements of all data protection regimes a company has to abide by depending on where and to whom it offers its products and services, there are seven foundational principles that, if observed, will do only good and no harm to your data protection compliance efforts. Collectively called ‘privacy by design’ (often abbreviated as ‘PbD’) these seven basic rules exist at the core of every data protection regulatory framework, while many such laws actually contain provisions making adherence to this privacy toolbox an explicit requirement.

7 principles of Privacy by Design

This is the ‘septalogue’ of Privacy by Design:

1. Proactive not reactive, preventative not remedial.

Your privacy efforts should be proactive not reactive, preventative not remedial. In other words, a sound data protection program should have privacy as a goal and not just prepare to mitigate the damage done to privacy.

2. Privacy as a default setting

offer your products and services with privacy as the default setting. Tricking people into unknowingly giving you their data will not do you good in the long run. It only takes one report to a data protection authority to bring all malpractices of an organization around a collection of data to light.

3. Privacy embedded in the design

Starting now, make privacy features an integral part of the design process of every product and service of yours already from its concept phase. If you cannot afford to review your existing product catalog en masse, make privacy review a top priority of your next product update at the latest.

4. Positive sum, not zero-sum

Full functionality – positive-sum, not zero-sum. You should not make consumers choose between seemingly contradicting options, such as privacy or security. These two goals are and have to be complementary, and it is an organization’s duty to make both works. Forwarding this burden of choice to your customers will not get you far.

5. end-to-end security

Full lifecycle protection. Privacy by design does not mean that just because you offer privacy as the default setting in the standard release of your products, your obligations as a data collecting organization end there. Lawfully collecting data goes hand in hand with protecting it adequately while in your possession and carefully and securely disposing of it once you no longer need it. Elevated privacy and security settings should define you as a data collector and possessor from the first moment you get hold of people’s data till you safely and irrevocably get rid of them.

6. Keep it open

Visibility and transparency – keep it open. Be frank with your customers by not just assuring them that you take good care of their data but actually explaining to them how you do this. The more transparent you are about the precise efforts you make to live up to your privacy word, the better. This can be easily verified by the more lenient treatment organizations have received for data breaches as long as they speak frankly about what went wrong and all the efforts they took to prevent the accident from happening.

7. Keep it user-centric

Respect for user privacy – keep it user-centric. Overall, privacy should be visible, easy to comprehend and to manage, and, most importantly, easy to restore for the average user. In other words, your privacy program will fall short of persuading a supervisory authority if it is extensive but complicated. Sophistication is good, but it should not mean complexity; not all your customers are control freaks to dig deep into your product settings to ensure that you take good care of their personal data nor should they be.

Xenofon Kontargyris

Xenofon Kontargyris is a lawyer specializing in data protection and IT law, particularly in cybersecurity and IT outsourcing. He holds a PhD from the Faculty of Law of the University of Hamburg (UHH) for writing a doctoral thesis on “IT Laws in the Era of Cloud-Computing; A Comparative Analysis between EU and US Law on the Case Study of Data Protection and Privacy” (2018, NOMOS Verlag). Xenofon is also a CIPP/E certified member of the International Association of Privacy Professionals (IAPP).