Privacy by Design

Privacy by Design

Your privacy protection practices go beyond having a good Privacy Policy.

That's just one tool to protecting your company from liability and communicating expectations with users, but it's not effective if you do not have the business policies to back it up.

That is where Privacy by Design (PbD) enters the picture. In addition to advocating for sound agreements and good communication, it also recommends systems to assure that the information you collect from users remains safe.

Here's an overview of PbD and how to implement it into your own practices.

Beyond the Privacy Policy

Privacy by Design advances data protection and privacy from the start, even in the design phase of an online service or app.

Besides the documentary requirements of Privacy Policies and good online explanations, it also includes integrating IT systems that securely store data, supporting privacy protection legislation and regulations, securing data sharing systems, and being careful with the use of personal data.

The guidelines around Privacy by Design offers many benefits that reassure consumers and protect your bottom line.

Evolution of Privacy by Design

Privacy by Design was invented by Dr. Ann Cavokian, who is the Executive Director of the Privacy and Big Data Institute at Ryerson University in Canada and the former Information and Privacy Commissioner of Ontario.

She developed the system after noticing that too many businesses deal with privacy protection shortcomings after a data breach. Very few developed measures to prevent data breaches or at least control the damage.

There were some entities that rested on the Privacy Policies as all they needed to assure data protection. However, only seven percent of users read the Terms and Conditions agreements before clicking "I agree" and Privacy Policies are likely neglected in the same way.

Users may not understand the privacy implications of using your app or service but still rely on you to protect your data. For this reason, alone, you need to do more.

That is where Privacy by Design proves to be a helpful guide.

Foundation principles of Privacy by Design

Foundation principles of Privacy by Design

The principles of Privacy by Design are intentionally simple so they could be easily translated into other languages.

It began as a global effort and these principles are now translated into 37 languages. These are the seven principles.

1. Proactive to prevent breach rather than just react to it.

This is the foundation of Privacy by Design.

Since the previous trend was to respond to a privacy breach after it occurred, the better approach is to prevent it in the first place.

Privacy by Design recommends thinking of privacy at the beginning of app or online service development. If you have a product in development, consider the data collection, retention, and use procedures so you can also design the best way to protect that user information.

2. Valuing privacy is the default setting

This is often a difficult one for most developers. There is often a tendency to over-collect data rather than get just exactly what you need.

Using privacy as a default setting means you only collect necessary information, rather than what you think you might need in the future.

You can always make adjustments later and have your Privacy Policies and FAQs reflect that.

However, starting out with a bare minimum of data collection gives you less to protect and results in a less damaging breach - should one occur.

3. Embed privacy into design

You will likely find this principle challenging as well. This involves not only considering privacy a primary end but also implementing alongside with the functions of your service (website or app).

Your designers are likely most concerned with whether your app or service works. If features are added on, that concern continues - will this meet consumer expectations or we will continue to release patch updates until this works well? In addition to these concerns, your designers also have to integrate privacy protections.

Authentication and encryption must be embedded into design as much as functional capabilities. This would include testing for hacker vulnerabilities before you release your product!

Basically, privacy protection would be implemented at the same time as the functional capabilities.

4. Avoid false dichotomies, like privacy vs. revenue

It's possible to protect privacy and enjoy growth.

There are entities that see the cost of putting extra emphasis on privacy and worry about their bottom line. Make the effort to show that prevention is better than remedial strategies in that it avoids litigation costs and encourages user confidence.

5. Full lifecycle protection

The private information you collect will go through stages starting with collection or creation, sharing, and retention.

Protecting this data should happen at each stage; your responsibility does not end with sharing it. When you have kept it for as long as you need it, also assure the destruction of the data.

Encryption and authentication are the best ways to offer full lifecycle protection.

6. Be transparent with users

Earning the trust of your users is one reason to adopt Privacy by Design.

Write your policies in lay language and make headings clear in your privacy agreements. You want users to know what to expect with the handling of their information but you also want to avoid appearing untrustworthy. Vague policies written in legal language will give them that exact impression.

7. Taking a user-centric approach

Remember each time you collect data, that information belongs to your users. They are giving it in trust to you so you can perform a service for them.

Never forget that while they may click the right boxes to give you permission, they can revoke that authorization at any time.

Laws on Privacy by Design

Following Privacy by Design offers four distinct advantages:

  1. Reduced chance of legal liability
  2. Better regulatory compliance
  3. Protecting your business reputation and brand
  4. Preserving customer confidence and loyalty

Generally speaking, PbD is not required by any existing laws.

However, its practices are well-suited to ensuring compliance with current laws because they demand that you go beyond the requirements and take an effective big-picture approach to privacy protection.

These laws include:

  • UK: Data Protection Act.

    The Information Commissioner's Office (ICO) is a big advocate of Privacy by Design. While the agency is clear that following these guidelines is not required to be in compliance with the Data Protection Act, it is a helpful way to not only comply with the act but exceed expectations.

  • Canada (Ontario): Freedom of Information and Protection of Privacy Act. Since the founder is a former Information and Privacy Commissioner of Ontario, you could say Canada is the birthplace of Privacy by Design.

    Being proactive also ensures compliance with this act as well.

  • European Union: New data protection regulations.

    The EU started data protection reform in January 2012, shortly after the development of PbD.

    Regulation (EU) 2016/679 addresses the processing of personal data and its movement. Directive (EU) 2016/680 enacts requirements for protecting data and penalties for poor processing.

    Again, the Privacy by Design suggestions are advanced as a way to follow these new rules.

  • US: Federal Trade Commision (FTC) recommendations and other laws.

    The FTC published a report recommending the adoption of PbD principles. It advocated for it based on consumer protection while recognizing the risks of the free flow of data. In addition, the U.S. has several federal laws regarding the protection of personal data.

    The point of the FTC report was to point out that many of the recommendations in PbD would also help companies comply with the current laws that protect personal information.

The California Online Privacy Protection Act (CalOPPA) frequently arises in these discussions about apps, online services, and privacy.

However, it only concerns how you present your Privacy Policy online. It does not contain any regulations regarding your business policies and practices regarding the privacy protection.

If you keep your Privacy by Design focused on federal law, you will be covered.

Privacy by Design cheat sheet

Assess the nature of the information you collect.

Your company should always be aware of the privacy effects when adding new features or upgrading your website or mobile app.

Staying aware will help you design more effective privacy protection.

This includes whether you are collecting just enough data for your service to operate. If your data requests go beyond what is needed for users to make optimal use of your service, then you need to reduce your data collection demands.

You should only request as much as need - not as much as you want. That reduces the amount of data you need to collect and the chances of disclosing it inappropriately.

Don't wait for a breach to make changes

Privacy needs to be considered in the design stage, not when something goes horribly wrong. When you take a reactive rather than proactive approach, your money will go towards PR campaigns and defending class action lawsuits. Trust from consumers can be impossible to earn back if you get it back at all.

If you form an effective preventative approach before launching your product, that will also cost money but offers rewards of consumer confidence and lower legal bills. Encourage your designers to take privacy of data in account at the beginning and make that a habit. It may take the time to realize the benefits of this but trust that they are definitely there.

Even if your product is not new, you can still make a proactive plan to protect data. Perform an audit to see where you can do better with privacy and make it the default setting from this point moving forward.

This way, designers will feel like they can be candid about shortcomings and you can implement needed changes before something happens.

Know your protection baseline

At a minimum, your company should offer explicit opt-in and opt-out procedures, virus and malware protection to prevent security breaches, and restricted sharing ("need to know").

If there are holes in any of these policies, you must reassess your privacy priorities and adjust them so you are communicating clearly with users and keeping their data safe.

Design retention procedures

Privacy protection is not limited to data collection. It also extends to data retention. If you only require data for a certain amount of time, make policies that allow that retention but destroy the data once it is no longer needed.

You may need to hire a security firm to assure the complete destruction of any data since the release of mirror data after destruction can still result in legal liability.

Review your encryption and authentication processes

If you make data available to third parties, be careful of your means of sharing it. Emailing records or providing the data through a nonpublic website address does not offer the same level of security as encrypting data or using log-in procedures.

You should also consider requiring frequent password changes so that users are not complacent about security. If there are doubts on whether your security protocol is effective, consider hiring an outside firm to perform an audit on your procedures.

Authentication can be as easy as setting up a login process.

Deloitte offers consulting services, including those associated with Privacy by Design. It also offers authentication platforms so company resources are not misused. This is what they set up for company Lexis accounts:

Deloitte Sign In form

Encryption is often handled first through email. There is usually first an announcement email with instructions before the encrypted email arrives. This is the template used by University of Texas at Arlington:

University of Texas email on encryption

Check your privacy lifecycle

You need to review privacy protection at each stage of the data's lifecycle.

This includes when you collect, create, share, and archive it. Do not neglect data at any step; your responsibility remains even when you share the information with a third party.

Authentication and encryption procedures offer protection but you should also know who actually requires access to this data. You need to have a strict policy of "need to know" when it comes to making users' personal information accessible and apply that uniformly at every stage of the data lifecycle.

Be open

Your users should be aware of your privacy practices. You can put this in your Privacy Policy but remember that only a small percentage of users may read the agreement.

If you trade in many types of information, consider setting up a Privacy FAQ.

Amazon collects fairly substantial personal information from its customers and offers a clearly explained Privacy Notice.

It is easy to navigate with questions and when a user clicks to one, they have the opportunity to read a simple explanation in layperson language.

The start of the Amazon Privacy Notice FAQ

It's very clear:

A clear description of information collected from Amazon

You want to keep all explanations focused on the consumer. If you offer vague language, it will appear that you wish to hide how you use consumer data. This could backfire badly in the long run so always be user-centric and transparent.

There is a reason Privacy by Design is becoming more popular in this day of free flowing data and information exchange. It offers reassurance to your users but also protects your reputation, bottom line, and legal compliance. Look into how you can make data privacy a priority in your company today.

Other Categories:

Jocelyn Mackie

Former civil litigation attorney. Content legal strategist.

This article is not a substitute for professional legal advice. This article does not create an attorney-client relationship, nor is it a solicitation to offer legal advice.