GDPR in focus: What is Privacy by Design?
Privacy of ‘personal data’ is at the heart of the new GDPR legislation. And one of the best ways in which this can be maintained is by ensuring appropriate security measures are in place.
All ‘Privacy by Design’ really means is that practices are protected from the start. Rather than focusing on the functional requirements of systems and methods – usually related to a public organisation’s aims or its benefit to private sector shareholders – ‘Privacy by Design’ requires that security is considered with the same level of importance as the desired outcome.
So while current Data Protection laws do not state that protective measures need to be in place from the start, the GDPR changes this entirely and makes it an explicit requirement.
Historically, companies have bolted onto existing mechanisms in order to protect data. However, such an approach often results in processes or applications that are less secure than the organisation believes, as patching up security gaps is rarely effective in the long run. The recent malware attack on the NHS is an apt example of this – the breach was possible because a number of machines within the organisation were not running Microsoft’s latest security patch.
Applying the ‘Privacy by Design’ approach
The successful application of ‘Privacy by Design’ can be achieved by aligning privacy and security with each step of a system’s development. So, rather than being seen as purely an IT issue, it’s a practice that needs embedding into every process along the way. Ultimately, privacy should be a part of the collective mindset of the organisation.
So, instead of just seeking to identify, improve and deliver to a functional specification, it’s vital that GDPR is constantly considered within all business activities, and never left to be an afterthought.
It’s therefore important to include ‘Privacy by Design’ whenever personal data is processed, including:
- The development of a new IT system
- Changes to business strategies
- The alteration of data sharing permissions
- Any difference in how personal information is being used.
Admittedly, many companies already put a great deal of thought into the security of their systems and processes. However, with the GDPR legislation, there will need to be consideration of both security and privacy – making information highly secure does not necessarily guarantee privacy, although it is a good place to start as an insecure system will inevitably lead to privacy issues.
It’s also important to understand that security and privacy are not absolutes. Data processes within organisations change continually and security methods are being improved all the time – but unfortunately, cyber-criminals are constantly seeking to get around the new measures that are put in place. This makes ‘Privacy by Design’ an ongoing process, which the GDPR makes reference to:
“Taking into account the state of the art… both at the time of determination of the means of processing and at the time of processing itself, implement appropriate technical and organisational measures…” (Article 25.1)
‘State of the art’ refers to the best possibility at the time, and is precisely why this needs to be part of an organisation-wide cultural change and seen as a continual improvement process. Therefore, trying to defend insufficient measures that haven’t been kept up to date won’t be tolerated by the ICO – especially without proof that security has been considered as the processes have evolved. It’s vital to ensure that current practices always comply with the 6 Data Processing Principles.
Still unsure about how you can weave Privacy by Design into your business operations and company culture? Contact us for further advice, and to find out more about how our Virtual DPO service could help!