Privacy by Design (PbD)
Privacy by Design Ingrains Privacy into Business Operations
Privacy by Design is the strategy of systematically incorporating privacy safeguards and controls into business operations, processes, and applications.
What are the benefits of PbD?
When privacy becomes a fundamental consideration of all operations, it helps organizations improve the effectiveness of privacy efforts and reduces the costs and complexities of compliance readiness.
What is the history and founding principles of Privacy by Design?
Privacy by Design as a specific term was first outlined in a framework in the mid-1990s by the information and privacy commissioner of Ontario, Canada, Ann Cavoukian. Ann outlined seven foundational principles which still hold true today:
- The Privacy by Design (PbD) framework is characterized by taking proactive rather than reactive measures. It anticipates risks and prevents privacy-invasive events before they occur.
- PbD seeks to deliver the maximum degree of privacy by ensuring that personal data are automatically protected in any given IT system or business practice as the default.
- Privacy measures are embedded in the design and architecture of IT systems and business practices.
- PbD seeks to accommodate all legitimate interests and objectives in a positive-sum “win-win” manner, not through the dated, zero-sum (either/or) approach, where unnecessary trade-offs are made.
- PbD, having been embedded into the system prior to the first element of information being collected, extends securely throughout the entire lifecycle of the data involved —strong security measures are essential to privacy, from start to finish.
- PbD seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification.
- Above all, PbD requires architects and operators to keep the interests of the individual top of mind by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.
How do the principles of Privacy by Design play into the current regulatory environment?
GDPR requires that businesses use Privacy by Design principles as specified in Article 25. Within GDPR, PbD is defined as data protection by design and default. This provides guidance that the data controller should implement organizational and technical controls focused on ensuring the rights of the data subject.
Here are additional resources:
- Ryerson University
- International Association of Privacy Professionals (IAPP) (various resources)
- European Commission