An introduction to Privacy by Design

How to introduce privacy by design principles, starting with your privacy policy

The increasing prevalence of data breaches and privacy concerns has made the protection of personal information a top priority for individuals and businesses alike.

Most of us are now familiar with the privacy scandal that surrounded the social media giant Facebook throughout the 2010’s¹. The social network allowed third-party applications to harvest personal data from millions of users without their consent. This incident not only eroded the public's trust in the company but also highlighted the urgent need for a privacy-centric approach to technology. To address these concerns, the concept of privacy by design has emerged as a proactive and comprehensive solution.

As our personal information is increasingly collected and processed, it's crucial to ensure that privacy is a foundational element in the design and implementation of products, services, and processes. Privacy by design is an approach that aims to make this a reality.

In this chapter, we will explore the concept of privacy by design in more detail, focusing on the central role of the privacy policy. We will also outline a simple iterative lifecycle as a framework for implementing privacy by design principles within your organisation, starting with the privacy policy itself.

---

Privacy by Design Principles

Before we dig deeper into privacy by design and present our implementation framework, let’s first look at the philosophy behind privacy by design.

Prompted by growing privacy concerns from technological developments throughout the 1990’s, the Information and Privacy Commissioner of Ontario, Canada developed a set of seven foundational principles for privacy by design²:

1. Proactive not reactive; Preventative not remedial

2. Privacy as the default setting

3. Privacy embedded into design

4. Full functionality - Positive-sum, not zero-sum

5. End-to-end security - Full lifecycle protection

6. Visibility and transparency - Keep it open

7. Respect for user privacy - Keep it user-centric

In 2010, the International Assembly of Privacy Commissioners and Data Protection Authorities accepted the philosophy of privacy by design as the international standard of data privacy compliance.

And now, with the maturity of the cloud, the rapid introduction of AI systems and the explosive increase in total data creation worldwide, privacy by design has become an essential pillar to the success and longevity of modern organisations.

---

The Central Role of the Privacy Policy

The privacy policy is a critical component of privacy by design. It serves as a blueprint for your organisational commitment to data protection and privacy.

A well-crafted privacy policy should:

• Be transparent about the collection, use, and sharing of personal information

• Clearly outline the rights of individuals with regard to their data, and how to exercise those rights

• Establish accountability for the organisation's data protection practices

• Communicate your organisation's commitment to privacy in a way that is easily understood by your customers and partners

This policy is the centrepiece of our implementation framework, and the first step towards to embedding privacy in the foundations of your organisation.

---

Implementing Privacy by Design: An Iterative Lifecycle

Introducing privacy by design principles to your organisation can be achieved through a simple iterative lifecycle that begins with the privacy policy itself. This lifecycle involves four main steps:

1. Develop or revise your privacy policy

2. Incorporate privacy considerations into the design and development of products, services, and processes

3. Evaluate and address privacy risks

4. Continuously monitor and update your practices

These steps must be repeated regularly to ensure that your organisation remains compliant with evolving data protection regulations and maintains the trust of your customers and partners.

Step 1. Developing or Revising Your Privacy Policy

WhatsApp, a popular messaging app, has faced legal consequences³ and public backlash due to having an inadequate privacy policy. Under pressure from the European Commission, the company has pledged to improve transparency in their policy to avoid economic sanctions.

Creating a robust and transparent privacy policy is the foundation of privacy by design. In this stage, you will analyse your data collection and processing activities, identify and address legal requirements, and draft a clear and comprehensive privacy policy that communicates your organisation's commitment to privacy.

Step 2. Incorporating Privacy Considerations into Design and Development

With a solid privacy policy in place, the next step is to integrate privacy considerations into your design and development activities. This involves:

• conducting Privacy Impact Assessments (PIAs)

• implementing data minimisation and purpose limitation techniques

• leveraging privacy-enhancing technologies (PETs)

• adopting privacy engineering principles

Notably, privacy impact assessments are a critical tool for identifying (and mitigating) privacy risks associated with new products, services, or processes. They provide a systematic evaluation of the potential impact on an individual's privacy, taking into account the nature and purpose of the data processing, the risks involved, and the appropriate measures to address those risks. They help organisations identify privacy risks early in the development process, allowing them to implement necessary safeguards through the Step 3 of our lifecycle.

Step 3. Evaluating and Addressing Privacy Risks

As you build conscious of privacy, it's crucial to manage ongoing privacy risks. This includes:

• maintaining contextual knowledge of the risk

• conducting risk assessments

• implementing privacy controls

• managing consent and transparency

• ensuring compliance with data protection regulations

A privacy risk register is an essential tool for streamlining organisational knowledge and demonstrating progress.

Step 4. Continuous Monitoring and Updating Privacy Practices

Privacy by design is an ongoing process.

In this final stage of the lifecycle, you will foster a privacy-focused culture within your organisation through training and awareness, engaging with the privacy community, and continually monitoring changes in technology, regulations, and best practices. Periodic audits and assessments will help you identify areas for improvement and adapt your privacy practices accordingly.

By following the iterative lifecycle outlined in this chapter, your organisation can embed privacy considerations into every aspect of its operations, from the privacy policy to product development and risk management. This proactive approach not only helps to ensure compliance with evolving data protection regulations but also fosters trust with customers and partners, which is vital for long-term success. As we continue to navigate the complexities of the digital world, privacy by design will remain a cornerstone of responsible and ethical data management practices.

1

How Cambridge Analytica Sparked the Great Privacy Awakening (Wired, 2019) [Article]

2

Privacy by Design: The 7 Foundational Principles (Ann Cavoukian, 2011) [PDF]

3

Following Regulatory Intervention, WhatsApp Agrees to Follow EU Rules on Privacy Policy Updates (CPO Magazine, 2023) [Article]