Regulators, worldwide, are showing an increasing interest in the protection of personal data. To achieve this protection, they advise or require companies to develop and market their products by making privacy and security an integral component of the design. Two concepts shape this process: data protection "by design" and data protection "by default".
"Data Protection by Design" means designing a product taking into account the applicable privacy and security law and principles from the earliest stages of the design. "Data Protection by Default" means the initial settings of a product must be set, so that, by default, they ensure the maximum amount of protection of the user's privacy and security.
The EU General Data Protection Regulation (GDPR), which governs the protection of personal data in the European Economic Area (EEA) and becomes effective as of May 25, 2018, requires, in Article 25, that both at the time of the design and the time of the processing of personal data, companies use appropriate technical and organizational measures that implement the GDPR data protection principles and protect the rights of the data subjects. Article 25 also requires that default settings allow only for the use or sharing of only the data that is necessary for a specific purpose.
Start by Educating your Designers
First, you should ensure that your designers and developers understand the basic principles of data privacy and data protection. For example, among other things, data protection principles incorporate notions of adequacy (ensuring that the right amount of data is collected), accuracy (ensuring that data is complete and up-to-date), limited retention (deleting data that is no longer necessary) or security (protecting data from unwanted access or modification). Training and awareness are essential to proper data protection by design.
Bake Data Protection Requirements into the Specifications
Second, you should look at the product from a data and privacy perspective and evaluate the proposed purpose, functionalities, categories of data that might be processed, and the intended uses, sharing, retention, or disposal of the data. Only a clear and detailed picture of the key features of the product will allow understanding the potential effect of that design on the privacy rights of the affected parties.
Take a critical look at the proposed specifications. Analyze whether, and to what extent the proposed activities meet the data protection laws and principles to which your company is subject. For example, is all data acquired "fairly and legally"? Or is some of the data collected in ways that most consumers would not expect? In some countries, the individual data subject must provide an explicit consent, and be allowed to withdraw that consent. How would that initial consent be provided? And how would the company implement the withdrawal of that consent?
Think from the Viewpoint of the User
Becoming privacy aware does not require an all-or-nothing approach. That might be detrimental to one of the parties. It means exploring the means to accommodate both to the needs of the company and those of the data subject. Keep in mind that the best designs balance the needs of all parties. While compliance is a priority, the design should also reflect the company's legitimate needs, for example, the need to have the maximum number of users, visitors, subscribers. A recurring question should be "Can we do this better, and in a more privacy aware manner". For example, how should that consent be obtained to ensure adequate user experience? If users' consent is required by law, how can we convince them to consent, and that it is in their best interest?
Make a Data Protection Impact Assessment
Conduct a data protection impact assessment. This will help determine the extent to which the proposed processing is likely to pose risks to the privacy of individuals or the security of their personal information. In the end, the analysis described above should result in the creation of a list of requirements, restrictions or conditions to be followed in the design and development of the product and throughout the entire period during which the product is put in use.
Weed out What you don't Need
Article 25 of the GDPR points to special aspects of data collection and uses that are especially relevant to data protection "by design": data minimization, pseudonymization.
Companies tend to collect more than they need, under the guise that they may need that information one day. In most cases, this is a bad decision. While the cost of storage is decreasing, storing unnecessary data is still an expense. Old data is usually obsolete, and thus unreliable and useless. The more data you keep the more risk and liabilities you accumulate. If your system is hacked or a laptop stolen, there will be a greater probability that you have to report a breach of security to the regulators.
Aiming for data minimization provides an antidote to data gluttony. Be lean, be frugal. Evaluate whether the amount of data collected is appropriate for proper functioning of the product. Making the effort to step back and identify what you really need, and requiring your designers and developers to do the same, will make for better, more elegant and more efficient design.
If the data is needed for research or statistics, or to find trends or other analytics, pseudonymization is an excellent work around. It allows balancing a company's needs for market intelligence, and the users' interest to be free from invasive profiling.
Limit Data Retention
Keep in mind that in most instances, old data is obsolete and thus useless. Data retention should be limited by technical means both as part of the original design and subsequent updates, to ensure that data is kept for the minimum amount of time necessary. Appropriate reminders could be used to prompt the user to delete unused data. Data disposal, when the product is terminated or the customer leaves, should be planned and programmed accordingly, and incorporated within the coding, so that all data stored in the associated databases, memory, or other storage devices is properly and securely deleted. This will help weed out the data files, and reduce the risk of theft or loss.
Think about Security
Data security is essential to the protection of personal data. It should be part of the data protection by design strategy, and not be an afterthought. Security measures that are added as a workaround once a product has been designed are seldom effective. They might create additional vulnerabilities.
From the earliest stage of conception and development, sound security measures should be incorporated into the architecture and the coding of the product. For example, access to data should be guarded with appropriate authentication measures. Modification of existing data should be allowed only to specified individuals.
Data Protection by Default
The design should ensure data protection "by default." According to Article 25 of the GDPR, the initial settings of the product when made available to the user should be set, so that the highest levels of privacy, security, and data protection are provided. This would include, for example, limiting the amount of information that is automatically collected or ensuring that personal data is not inadvertently made accessible to an unlimited number of persons by default. Instead, the initial product settings should prohibit disclosure, sharing or access and should require the prior intervention of the concerned individual before the data can be disseminated or disclosed at large to others.
Integration with Existing Structures
The design and coding should not be made in a vacuum. Good data protection by design would require that the specifications take into account the existing privacy and security policies of the company to ensure that the proposed collection, storage, processing, retention, or sharing is in line with the company's existing data protection standards, values and promises. If there are discrepancies, the product or the relevant documents and policies would have to be updated accordingly. Further, if the product is to interconnect with another product, the design should ensure that the data does not lose its carefully designed protection when it is transferred to a less privacy-aware product.
Without customers, a business cannot thrive. To acquire and retain customers, the business must build trust. Taking a data protection by-design approach helps build that trust and minimize risks. Data protection by-design helps guide the creation of a solid base for product development that balances the individuals' legitimate expectation of privacy and the companies' business and commercial objectives. It requires cooperation and dialog among the stakeholders to help ensure that the product and its expected uses will meet both the business needs and its legal obligations. In a world where most countries have and enforce strong data protection laws, there is no good, effective product design without a privacy-by-design approach.
- A partner at Greenberg Traurig, Francoise Gilbert focuses her practice and research on U.S. and global data privacy and cybersecurity in a wide variety of markets, including, among others, Internet, e-commerce, cloud computing, connected devices, sensors, data analytics, artificial intelligence, robotics, and other emerging technologies. She is the author of the two-volume treatise “Global Privacy and Security Law,” published by Wolters Kluwer (www.globalprivacybook.com), and the co-author of a dozen other books, including “Internet of Things and Data Analytics,” published by Wiley, and “Robotic Technologies Law,” published by Larcier. Ms. Gilbert holds CIPP/US, CIPP/EU, and CIPM certifications, and has received law degrees and obtained bar admissions both in the United States and in France.