On October 17, the Spanish data protection authority (AEPD) published the Guide to Privacy by Design (Guide). While Privacy by Design (PbD) first became a legal requirement in the EU with implementation of the General Data Protection Regulation (GDPR), it is a well-known concept among privacy professionals that dates back to the 1990s.
PbD should be construed as “the need to consider privacy and the principles of data protection from the inception of any type of processing.” It is a concept focused on risk management and accountability that aims to incorporate privacy protections throughout the life cycle of systems, services, products, and processes. It involves the application of measures for privacy protection among all business processes and practices associated with personal data.
Foundational Principles of PbD
The AEPD Guide, summarized below, highlights PbD Foundational Principles (first defined by Ann Cavoukian) and outlines practical steps for embedding them into GDPR compliance plans:
Privacy and security goals
The Guide also explains how traditional goals for designing secure and trustworthy systems to protect them from unauthorised processing (i.e., confidentiality, integrity and availability) are no longer enough as many new risk factors linked to authorised data processing have recently come into play (e.g., the loss of control in decision making, excessive data collection, re-identification). Nowadays it is necessary to widen the scope of analysis and the goals following GDPR’s reinforced focus on risk analysis. To guarantee satisfaction of GDPR principles in this context, controllers should consider (particularly with a view to carrying out DPIAs):
- Unlinkability: “process data in such a manner that the personal data within a domain cannot be linked to the personal data in a different domain, or that establishing such a link involves a disproportionate amount of effort.” This relates to the GDPR principles of data minimisation, storage limitation, and integrity and confidentiality.
- Transparency: “clarify data processing such that the collection, processing and use of information can be understood and reproduced by all the parties involved and at any time during the processing.” This relates to the GDPR principles of purpose limitation, and lawfulness, fairness and transparency.
- Intervenability: “ensure that it is possible for the parties involved in personal data processing, and especially the subjects whose data are processed, to intervene in the processing whenever necessary to apply corrective measures to the information processing.” This relates to the GDPR principles of purpose limitation, accuracy, integrity and confidentiality, and accountability.
Privacy engineering; Privacy design strategies; Privacy design patterns; PETs
The Guide also refers to the concept of Privacy Engineering, which is a “systematic process with a risk-oriented focus whose goal is to translate into practical and operational terms, the principles of privacy by design (PbD) within the life cycle of information systems entrusted with personal data processing.” Privacy Engineering entails three major stages:
- Privacy requirements definition: Specify the privacy properties, concept and requirements to be fulfilled by the system. This is where the privacy design strategies come into play.
- Privacy design and development: Bring the privacy requirements definition down to earth by designing the architecture and implementing system elements. In this stage, it is important to refer to privacy design patterns, which manifest privacy design strategies as reusable solutions to solve common privacy problems. In addition, we also find here Privacy Enhancing Technologies (PETS). These technologies, following the AEPD definition, consist of “a coherent system of ICT [information and communication technologies] measures that protects privacy by eliminating or reducing personal data or by preventing unnecessary and/or undesired processing of personal data, all without losing the functionality of the information system”.
- Privacy verification and validation: Integrate, test, evaluate, maintain and confirm that privacy requirements have been duly implemented and meet the stakeholders’ expectations.
The Guide continues defining the privacy design strategies and the tactics involved by each of them. It also includes one of the many classifications of PETs (classified by purpose: to manage privacy or to protect it).Conclusions
- While the GDPR’s PbD obligation primarily addresses controllers (including joint controllers), it may also impact data processors such as service providers, product and application developers, and device manufacturers (see Recital 78 and Article 28 GDPR).
- Companies should strive to adopt frameworks to protect personal data without creating obstacles to business activities and innovation, by introducing a new technological discipline: Privacy engineering.
- Privacy must be an integral part of the business, both at the beginning of any project, process, product, or service, and throughout its implementation.
- A risk analysis should first be used to establish specific objectives and security goals, as well as data-oriented and process-oriented privacy strategies. Then, in the design stage, selected tactics shall be integrated by means of available solutions / privacy design patterns, to be implemented in the development stage (by using, for instance, PETs).
- Controllers should note that failing to comply with the GDPR’s PbD principle is itself a punishable offence, and whether a controller has implemented appropriate PbD measures is the criteria for measuring the gravity of an infringement.
Graciela Martin, an intern in our Madrid office, contributed to this entry.