Data protection by design and by default

Data protection by design means embedding data privacy features and data privacy enhancing technologies directly into the design of projects at an early stage. While data protection by default means that the user service settings (e.g. no automatic opt-ins on customer account pages, profiles set to private from the start with action needed to become public and so on) must be automatically data protection-friendly and that only data which is necessary for each specific purpose of the processing should be gathered.

In practical terms, data protection by design and by default has been around since the 1990s, long before Article 25 of the GDPR was introduced. It was originally coined Privacy by Design (PbD) by Ann Cavoukian in 1995. Dr Ann Cavoukian is recognised as one of the world’s leading privacy experts. She served three terms as the Information & Privacy Commissioner of Ontario, Canada and her work paved the way for the new ISO standard for privacy by design, ISO 31700.

Implementing privacy by design

Privacy by design is based on seven principles and implementing these into your products, services or business is a challenge and is best met by combining a range of skills. These skills include user experience design, ethics, compliance, security and technology. Together they will ensure that your business takes privacy seriously, thus avoiding breaches and fines and at the same time increasing trust.

The principles are:

1. Proactive not reactive; preventative not remedial.
2. Privacy as the default setting.
3. Privacy embedded into design.
4. Full functionality – positive-sum, not zero-sum.
5. End-to-end security – full lifecycle protection.
6. Visibility and transparency.
7. Respect for user privacy – keep it user-centric.

Effective implementation of privacy by design means operating in a human-centric and privacy-focused manner, protecting people’s rights and freedoms throughout the data lifecycle. Privacy should always be the default setting.

Why it’s important

A recent study of over 90 fines administered by supervisory authorities in the first five years of the GDPR indicates that non-compliance with Article 25, data protection by design and default, has been a contributing factor in the largest fines. Taking one instance, the Data Protection Commissioner (DPC) fined Instagram €405m following its 2020 investigation that identified that the default setting for new business accounts was public instead of private, which was especially concerning where children were involved.

How we can help

The European Data Protection Board brought out guidance in October 2020 to give more insight into how organisations can become privacy-first through the use of the principles of GDPR. We match these principles with those of privacy by design listed above to ensure a holistic approach.

We can assist:

• Carry out an assessment of your current privacy by design framework.
• Undertake a review of your framework against the guidance from the European Data Protection Board (EDPB).
• Train your development and design teams in introducing privacy by design to the design lifecycle.
• Create a framework for privacy by design in the organisation that includes key templates, artefacts and governance.
• Provide advice and guidance on all aspects of privacy by design.
• Establish ethical design principles.
• Assist in embedding privacy by design retrospectively.
• Prepare your organisation for achieving ISO 31700 certification.
• Carry out assessments of end-to-end security of the processing, see our cyber security service for more.

Forvis Mazars supports a wide range of private and public entities in achieving and maintaining data protection & privacy compliance. To learn more about our data protection and GPRS services, contact a member of our consulting team.