What is Privacy by Design (PbD? And what is the importance of Privacy by Design for privacy protection?
Privacy by design (PbD) is an emerging concept that requires the integration of privacy into the creation, design, and operation of new systems, business processes, policies, infrastructures and devices. PbD is a systems engineering framework that focuses on extending the use of Privacy-Enhancing Technologies (PET). It is a data protection mechanism through technological design and advancements. Furthermore, PbD involves building privacy protection directly into the design, implementation, operation, and management of systems or processes, rather than considering it after the fact. PbD employs seven foundational principles identified and developed by Ann Cavoukian, which are briefly discussed next. The goal of the principles is to ensure privacy of personal data while also providing users with more security controls over their personally identifiable information (PII).
- Proactive not Reactive; Preventive not Remedial: This principle focuses on designing systems and processes to proactively take privacy protection measures before a privacy-compromising incident occurs. Instead of relying on detecting and responding to privacy violation, organizations and individuals should anticipate and prevent events that may breach the privacy of individuals.
- Privacy as the Default Setting: Most information systems nowadays do not provide default security features and this approach has been causing many security incidents that have the potential of gravely affecting the well-being businesses. Therefore, organizations and individuals should ensure that all personally identifiable information (PII) is automatically protected in all information systems or business process through secure default settings without requiring individuals to enable privacy protection actions and settings.
- Privacy Embedded into Design: Privacy should be considered as a core functionality of a given system and privacy protection measures should be fully implemented and integrated into the entire the system and associated business processes instead of adding after the fact of privacy violations.
- Full Functionality – Positive-Sum, not Zero-Sum: Privacy by design (PbD) requires legitimate system design goals to be achieved without affecting the functionality and privacy of information systems. Moreover, both privacy and security should be core components of a system and should be achieved before a system is rolled out to a customer.
- End-to-End Security – Full lifecycle Protection: This principle requires organizations and individuals to ensure security and privacy of personally identifiable information (PII) throughout its entire lifecycle. This means, personal data should be created, stored, used, managed and finally destroyed in a secure mechanism. Security controls such as encryption techniques and authentication systems should be incorporated at every stage of a data lifecycle and entities should thus consider security and privacy measures throughout the entire lifecycle of data.
- Visibility and Transparency – Keep it Open: This principle focuses on assuring the entire stakeholders of a system that it operates securely and maintains data privacy measures throughout the entire lifecycle of the system as per the established security policies.
- Respect for User Privacy – Keep it User-Centric: This principle requires system analysts, architects, developers, and operators to keep the interest and consent of individual users as their top priority by provisioning strong privacy defaults, timely and appropriate notice, and a user-friendly experience.
The main purpose of Privacy by Design (PbD) is ensure that developers integrate privacy protection measures into solutions in order to at least minimize or avoid privacy violations and concerns in the first place. Furthermore, as discussed in the principles earlier, PbD focuses on preventing privacy violations and concerns instead of remediating them later on after the fact. However, PbD is not limited for developers to integrate it in their development endeavors; PbD is the driving principle behind privacy protection initiatives integrated throughout the businesses of an organization.