Privacy by design, or how to protect privacy by design

The issue of Privacy by design naturally arrived with the entry into force of the RGPD, to protect users' privacy.

Having become fully responsible for the proper processing of personal data, companies have had to adapt to these new regulations, on pain of a fine that can be raised to up to 4% of worldwide sales in the event of non-compliance found by the CNIL.

But what exactly is Privacy by Design? What principles does it embody, and how does it differ from Privacy by default ? And how can you apply Privacy by design in your company? Find the answers in this article!

See all software General Data Protection Regulation (GDPR)

What is Privacy by design?

Privacy by design: definition

The principle of Privacy by Design (PbD) implies that the protection of personal data must be an integral part of the upstream considerations of any corporate project. Right from the design stage of a new service, functionality or marketing campaign, respect for privacy must be an absolute priority.

Privacy by design emerged in Article 25 of the RGPD (General Regulation for Data Protection), and failure to comply with this principle can result in financial penalties or even legal proceedings in the event of a CNIL inspection.

The benefits of Privacy by design

While, at first glance, Privacy by design implies legal, technical and time constraints, it also brings a number of advantages, such as :

• lower legal compliance costs . By taking data protection into account from the outset, you can avoid certain inconveniences. For example, having to rework certain aspects of the project in order to comply with the law. This can lead to additional costs, delays or even a complete rethink of the project;
• Reducing the risk of legal action due to non-compliance;
• the development of a relationship of trust with the user, who, thanks to the transparency of data processing, has the assurance that it will be handled with the utmost care;
• increased consent. Indeed, data processing transparency can reassure some users who were previously cautious due to a lack of information. This may encourage them to give their consent more readily;
• savings thanks to a reduction in the need for storage capacity, which can sometimes represent substantial sums.

The DPO: the guarantor of RGPD compliance

The DPO is the Data Protection Officer, otherwise known as the data controller. This new cross-functional role came into being following the entry into force of the RGPD, enabling the implementation of Privacy by design.

This central function in a company is responsible for ensuring that privacy is respected by every employee in every company project whether it's a marketing campaign or cybersecurity issues.

The DPO will therefore :

• manage the issue of personal data across the company;
• implement a number of organizational rules, measures, tools and best practices;
• monitor that the measures put in place comply with the principle, and be able to prove it in the event of a CNIL inspection.

💡To fulfill his role optimally, the DPO can use an RGPD project sheet to work with the various project managers. It details the various phases and actions to be implemented to guarantee the Privacy by design nature of the project.

Find out more about the role of the DPO :

CNIL

The difference between Privacy by design and Privacy by default

Privacy by default is a corollary of privacy by design. While the latter encourages the protection of personal data to be taken into account right from the design stage, Privacy by default goes further, applying the principle of maximum protection of user data de facto, without any action required on the part of the user.

The 7 principles of Privacy by design

Principle no. 1: adopt proactive and preventive measures

Privacy breaches must be prevented by implementing preventive, not corrective, measures. Once personal data has been abused or breached, the damage has already been done. Corrective actions would then be aimed at preventing future problems.

Principle no. 2: Privacy by default

As we saw earlier, the concept of Privacy by default is an integral part of Privacy by design. This means that maximum protection must be provided by default, i.e. implicitly and automatically, so that the user does not have to act on his or her own to be protected at the highest level (checkbox, settings, etc.). If he wishes to give more freedom over his data, he can do so a posteriori when the purpose having justified the collection is fulfilled, or when the user concerned by the collection has requested it.

Principle no. 3: ensure data collection and storage compliance

From both a technical and organizational point of view, everything must be done to ensure that data recovery is compliant. Data storage must also be compliant, by deleting it when it is no longer required for the purposes previously defined.

Principle 4: guarantee security throughout the project, and beyond

Guarantee users that data collection is carried out securely. This guarantee must apply throughout the performance of the service, and even beyond, i.e. during the legal retention period.

Principle no. 5: ensure optimum, integral data protection

The measures applied to protect user privacy must respect the privacy of the user, without compromising the smooth running of the company. The idea is not to set these interests against each other, but rather to reconcile them, reconciling privacy and data security. It's even a competitive advantage to offer users this assurance, and can have a positive impact on trust capital and brand image.

Principle no. 6: Demonstrate transparency

Data collection and processing practices must be transparently displayed, as must the purpose for which they are collected. This is why the company must draw up its privacy policy and make it visible to everyone.

Principle no. 7: protect user privacy

This notion, which places the interests of users at the forefront of all considerations, is intrinsically present in all the principles. Companies are responsible for equipping themselves with the right systems and tools to comply with legal constraints. Ethical practices must also be adopted at all levels of the company, so that only the necessary information is collected and handled with care.

How to apply Privacy by design?

Applying Privacy by Design is a demanding challenge for companies and organizations, from both a technical and organizational point of view.

For example, to be able to set up a data collection system, you need to be technically equipped to check, modify and delete data after the fact.

Let's take a look at some concrete measures that can help you apply Privacy by Design.

Some concrete measures

Data pseudonymization

This data structuring technique makes it more difficult to identify an individual, unless additional information is available. Data is classified and dissociated by purpose in a dedicated database.

Minimizing data collection

Applying the strict minimum principle is made technically possible by Privacy Enhancing Technologies, which enable users to retain control over their data. They can minimize and even anonymize their data if they so wish.

The zero-disclosure proof-of-knowledge protocol

This secure protocol provides mathematical proof of a user's authentication and identification, without revealing any other information.

Working frameworks

As soon as a new service, product, project or functionality is launched, it's essential to ensure that privacy protection measures are respected. To work more efficiently, we recommend the use of working frameworks designed for this purpose. This type of document is a good starting point to enable you to check that you are ticking all the boxes required by the RGPD.

Tools to help you apply Privacy by design

Are you sure your company is "Privacy by design"? Using "RGPD compliant" tools, and above all digitizing your compliance, can take the guesswork out of the equation and avoid the risk of sanctions. You can manage your data with complete peace of mind, and with much greater speed and efficiency!

These online RGPD solutions make it easier for you to :

• create data processing maps ;
• perform RGPD compliance audits;
• centralize and track all compliance documentation;
• conduct CNIL-compliant security risk impact assessments;
• create customizable project sheets based on templates to facilitate work with project managers;
• monitor the compliance of all projects;
• categorize data according to purpose;
• remain compliant as the law evolves;
• keep proof of consent, etc.

🛠 Among the most reputable RGPD compliance players on the market, you can turn to:

• Witik: this is a French RGPD complianceplatform that supports SMEs & ETIs in steering their various compliance programs (RGPD, Sapin II law, ePrivacy regulation, ISO...). To guarantee the Privacy by design nature of your company and project, Witik gives you access to a host of features : training, auditing and customizable register templates designed by DPOs, consent management incorporating native A/B Testing, reporting and follow-up attestation, and much more!
• Data Legal Drive,
• Central Consent Manager,
• Compliance Booster,
• Datae.

See all software General Data Protection Regulation (GDPR)

From Privacy by design to Privacy by using?

Integrating the principles of Privacy by design into all projects requiring data collection is the best practice to adopt to comply with the RGPD without negatively impacting the company. Properly respected, these principles imply the application of measures that can even have a beneficial effect on the company.

Privacy by using advocates empowering users with regard to their personal data. By providing them with information on the purpose of their data and the technical tools to manage the level of confidentiality themselves, they acquire autonomy. This makes them more inclined to give companies more freedom over the use of their data. With broader consent, companies can remove certain obstacles, expand the field of possibilities by offering more innovations, and better meet users' needs.

Could shared responsibility for data be the key to a more innovative market? What do you think?