Privacy by Design
Starting from scratch, just like various technical solutions including social networking servers are built up, we need to comprehend how the rights to privacy and data protection can be implemented in practice. In order to have a good understanding of the GDPR and the obligations those who handle personal data have, it is essential to consider Privacy by Design and explain what it means at an early stage. In Week 3, we will touch upon the notion of data protection by design and by default that is related to the Privacy by Design concept and entails important duties that should be taken into account by those who are involved in the processing of personal data.
Privacy by Design is a significant notion contributing to the implementation of the rights to privacy and data protection. This is especially relevant in the age when numerous systems are designed to process personal data and are deployed on a large scale. It has been introduced by the Canadian Information and Privacy Commissioner Ann Cavoukian and seeks to promote the idea that these rights can and should be protected not merely by regulatory measures but by implementing certain principles by design and by default by organisations in the systems that process personal data. In this regard, 7 principles of Privacy by Design are of importance:
- The Privacy by Design approach must adopt a proactive rather than reactive stance and aim at preventing privacy risks and not at addressing them after they occur;
- Privacy is to be used as a default setting;
- Privacy must be embedded into design;
- Privacy by Design ensures full functionality and seeks to achieve both privacy and security;
- Security must be made an integral part of the systems throughout their whole lifecycle;
- It seeks to achieve visibility and transparency;
- Systems are to be kept user-centric and users interests and needs must be taken into account.
In Article 25 of the GDPR, a reference is made to the data protection by design and by default that constitutes a more specific notion given the nature of this legislative act and focuses on the obligations of controllers that will be discussed in the coming weeks.
© University of Groningen