This is the second of a number of blog posts leading up to my keynote at the upcoming Computerworld conference on Data Security in Copenhagen 27 January 2016.
The new General Data Protection Regulation aimed at giving EU citizens greater control of their personal data introduces the principles of Privacy by Design and Privacy by Default to keep in pace with technological developments .
Privacy by Design means that organisations must protect privacy by embedding it into the design specifications of technologies, business practices, and physical infrastructures. That means building privacy into the architecture of new systems and processes.
Privacy by Default means that organisations must implement mechanisms for ensuring that, by default, the only personal data that is processed is that which is necessary for each specific purpose of the processing and especially that it is not collected or retained beyond the minimum necessary for those purposes and only be kept for the amount of time necessary to provide the product or service.
Privacy by Design and Privacy by Default apply at all levels, including the manufacturers of the devices, application developers and social platforms. Privacy and security have to be embedded, by default and design, from the very foundation of eg. an application.
For example, to successfully publish your profile on a new social media service, it may be a requirement to give your name and e-mail address. However, this service might also automatically and without your legal consent process other personal information such as your location, gender and make it visible publicly and not just to your connections.
This would be a classic example of a breach of the data protection principles, and thereby Privacy by Default principle, as more information is published than is necessary for the service. This situation could have been avoided by using the Privacy by Design concept where the manufacturer would have implemented technical and organisational measures to foresee and avoid this breach, before the new social media was even introduced.
How the Privacy by Design and Privacy by Default principles will be enforced is not at all clear. However, it is clear that the data protection agencies in the member states will demand from the businesses that they provide documentation that they are in compliance with the principles. And organisations that break the rules face tough penalties; organisations responsible for more serious violations could be fined up to four percent of their turnover.
Some customers are very concerned about what happens with the information they disclose to companies – especially online. The requirement of Privacy by Design and Default is supposed to give customers, the data subjects, increased control of their personal data and to assist in building trust in organisations, including online services.
From another point of view, much criticism has been expressed by organisations, not regarding the increased control Privacy by Design and Default will give to their customers, but regarding the high cost of implementation. Businesses may have to make substantial investments to ensure they are compliant, both inside and outside Europe.
Much focus has been on large web based businesses such as Google, Facebook and Microsoft, due to the number of third parties they use who also process the data, and which requires significant administrative cooperation in order to achieve conformity and cost to run and monitor.
The burdens, however, are especially onerous on small and medium sized businesses. When creating a new product or service, for example, the entire development process needs to be compliant. This together with ongoing monitoring can drive up the cost of a new product or service significantly. This could mean a huge financial burden for companies on a smaller budget, in particular startups.
From the organisations point of view, it might be worth it to look at the requirements of Privacy by Design and Default from a different perspective. The fact that customers are increasingly concerned about disclosing their personal data can be seen as a new business opportunity. It is important to make your customers feel safe and trust the service/product, so complying with the new regulations allows a business to create a product or service that a customer will feel safe using and thereby adding to the attraction and differentiation of the service/product.
According to the General Data Protection Regulation, an organisation will be able to acquire certification from the EU data protection authorities which will allow the organisation to communicate to customers that they meet the requirements and thereby can be trusted with the customers personal data, all potentially adding to the competitive edge of the organisations.
(Thanks to my colleagues Amalie Langebæk and Kamilia Mondrup at Bird & Bird Copenhagen Office for help with writing this blog post.)