Enforcing Data Privacy by Design for Third Parties

According to the United Nations Conference on Trade and Development (UNCTAD), 66% of all countries in the world have enacted legislation to address data protection and privacy(1).

The General Data Protection Regulation, which became EU law in 2018, is arguably the most well-recognized and globally influential data protection legislation, and has outlined the following foundational principles of data protection (2)

Lawfulness, Fairness, and Transparency: Any processing of personal data should be lawful and fair. It should be clear to users that personal data concerning them are collected, used, consulted, or otherwise processed and to what extent.

Purpose Limitation: Personal data should only be collected for specified, explicit, and legitimate purposes and not further processed in a manner that is incompatible with those purposes.

Data Minimisation: Processing of personal data must be adequate, relevant, and limited to what is necessary in relation to the purposes for which they are processed.

Accuracy: Controllers must ensure that personal data are accurate and, where necessary, kept up to date.

Storage Limitation: Personal data should only be kept in a form which permits identification of data subjects for as long as is necessary for the purposes for which the personal data are processed.

Integrity and Confidentiality: Personal data should be processed in a manner that ensures appropriate security and confidentiality of the personal data, including protection against unauthorised or unlawful access to or use of personal data and the equipment used for the processing, and against
accidental loss, destruction or damage.

Accountability: The controller is responsible for, and must be able to demonstrate, their compliance with all of the above-named Principles of Data Protection.

Controllers must take responsibility for their processing of personal data and how they comply with the GDPR, and be able to demonstrate (through appropriate records and measures) their compliance.

These principles lay the groundwork for the other rules and obligations of the legislation, and are influencing legislation being drafted around the world. With more than 120 countries engaged in some form of international privacy laws for data protection, it is clear that this is a legal arena that will continue to evolve and mature.

7 Principles of Privacy by Design (3)

The principles above are critical for setting expectations, but are not sufficient for practical application. To that end, the GDPR places significant focus on Privacy by Design, a framework for building privacy into the design and operation of IT systems, networked infrastructure, and business practices. According to this framework, privacy management demands an interdisciplinary, systems engineering approach. Good privacy management encompasses:

• the full lifecycle of the data — from acquisition to use, storage, retention and disposal
• multiple teams with different objectives and priorities (e.g. product management and engineering, user support, sales and marketing, finance, risk and compliance)
• multiple control domains (e.g. technical, administrative, legal).

The 7 Privacy by Design principles are:

1. Proactive not Reactive; Preventative not Remedial
   By proactively adopting strong privacy practices, events which have an invasive effect on privacy are anticipated and prevented.

2. Privacy as the Default Setting
   Personal information is by default protected without the need for the user to take any action. The fair information practices – “Purpose Specification”, “Collection Limitation”, “Data Minimization”, and “Use, Retention and Disclosure Limitation” – are taken into account.

3. Privacy Embedded into Design
   Privacy is considered in the design and architecture of IT systems and business practices as a core functionality. It should be embedded holistically in terms of considering the context, integrative as respecting all stakeholders, and creative as re-defining previous designs.

4. Full Functionality – Positive-Sum, not Zero-Sum
   All legitimate objectives of an organization are achieved with full functionality. A multi-functional solution is investigated where no trade-off is performed to the detriment of privacy.

5. End-to-End Security – Full Lifecycle Protection
   Strong security actions are taken throughout the entire lifecycle. The management of personal information and included principles are carried out, such as destroying data at regular intervals.

6. Visibility and Transparency – Keep it Open
   All stakeholders in business practices and technologies operating according the promises and objectives. For this, visibility and transparency are needed for establishing accountability and trust. In this principle, the three fair information practices – “Accountability, “Openness”, and “Compliance” – are considered.

7. Respect for the User – Keep it User Centric
   The design should always consider the interests and needs of users. This principle implies the four fair information practices: “Consent” – users’ consent regarding collection, usage, and disclosure of personal information; “Accuracy” – the need for complete, correct, and actual personal information; “Access” – providing user access to their data; and “Compliance” – interpreted as organizations having to take actions and communicating them regarding users’ privacy.

Based on principles of Privacy by Design, governments are increasingly holding companies (“controllers”) accountable for full protection of user data, regardless of where a data breach might occur. In fact, UNCTAD has noted a specific concern about “the collection, use and sharing of personal information to third parties without notice or consent of consumers.”(4) Only by embedding privacy into the system from the outset, and carefully managing their data sharing with third parties, do companies today have any hope of effectively protecting user data.