Privacy by Design
Rather like any new housing development that has to incorporate, within the initial planning stages, essential technological advances ensuring protection to the environment and be eco-friendly. The same applies to any new technological construction regarding protecting the individual user.
Also known as “privacy by default”, this new concept of this law provides guarantees of data protection from the very beginning of any new technical construction or design development — for example, an application or program, an app, development of electronic commerce, the internet of things, anything where personal data will be processed. Developers of applications, products or services in general, are required to have specialist knowledge in the field of privacy and data protection from the design, development and launch phases.
GDPR Obligation Acts
One positive gained, is that this obligation acts as a safeguard from the outset regarding any new development. Privacy in the design is a proactive measure and seeks protection throughout the life cycle of the product or service.
Proactive design and development will eventually lead overall to improved organisations who build software with Data Protection obligation in mind, as it is easier to plan and develop from the beginning based on a clear legal framework. This will facilitate peace of mind when engaging in business to business activity, eliminating the worry of not complying with the data protection obligation requirements regarding data protection.
What is Privacy by Default?
The default privacy is to offer the maximum privacy guarantees by default in the design of applications or general products or services that deal with personal data. If there are several privacy settings, they should be marked appropriately by default, those that offer greater guarantees of privacy as required by the individual.
The default privacy also implies:
- The minimising of data, that is, the minimum possible data to be collected to ensure that the product or service can fulfil its purpose.
- The control of access, only personnel that require access to the data for the development of their profession, will have access to this data, and that data will not be transferred to third parties, is not mandatory or is not explicitly informed and consented to by the interested party. For this, pseudonymization techniques can be applied (pseudonymization uses encryption as a security measure to ensure data can become anonymous)
- The data storage periods must be made fully transparent to users and personnel and be limited to what is strictly necessary with any extension of storage to be minimized to recommended legal storage periods.
- Transparency is fundamental and requires informing the user about the processing of their data with clear, concise and understandable information.
A practical example is found in various gaming apps where, for example, personal information is requested, i.e. permission to access phone contacts, camera images, SMS and phone calls, whereby access to all of these is unnecessary to play the game.
Privacy is a fundamental right and must be preserved with a degree of firmness.
Mark Zuckerberg has previously announced that his organisation, Facebook, will not be implementing the same level of GDPR protection in the US, but would tweak GDPR obligation for European users. It will remain to be seen what US users will lack in protection, but one of the most obvious rights that Facebook might wish to play down is the right to erasure, or the right to be forgotten. The scandal regarding the unauthorized and unwarranted use of the personal data of 50 million Facebook users has put the dominant technology company in a complicated situation that may seriously damage its already questionable reputation due to its role in the circulation of fake news.
Ensuring the privacy and protection of user information is an unavoidable GDPR obligation for all organisations, especially that of Facebook. Such rights are daily violated and form the very reason for the need for legislation such as the GDPR. Brands such as Google and Amazon accumulate vast amounts of private information and manipulate this data for their marketing campaigns.
Advocates for privacy have campaigned against the incorrect use of data, and the future of GDPR obligation is looking to be a bright one for those who seek or defend the right to privacy. Facebook’s decision not to implement the full scope of the GDPR for US users has raised suspicions about its ability and efforts to regain the trust of users especially in light of recent data mining abuses.
The company could do so with its firewalls for false news on the Web and established software to enable it to reliably identify content, also has an increasing responsibility of ensuring control over the advertising of political campaigns, even at the cost of losing part of its main source of revenue. There is no denying that technology companies such as social networking sites have helped to create a free, open and interconnected world. They have become not just the engine but also the DNA of globalisation. Leaking of private data highlights the fragile and vulnerable nature of our personal information in the hands of these giants.
The US Government, British Parliament, and the European Parliament as well as representatives of the 500 million people affected by the Facebooks personal data leak, demand assurances, convincing answers and effective measures from Facebook.
✓ International Data Transfers
In this current global economy, it is very common for cross-border transfers of personal data. Sometimes this data is maintained on servers in several different international countries. The GDPR protection will travel with this data, which in turn ensures that the GDPR obligation rules that protect personal data with the EU will continue to apply regardless of where the data will eventually end up.
Article 49.1 states that data transfers can only be made to countries where there is not the same level of protection when there has been an express consent to the transfer, and then only after the individual whose data is being transferred has been made fully aware of the risks of such transfer. Such awareness has to be in the form of an explicit statement in writing, and the consent of the individual concerned has to be seen to have been obtained in an indisputable manner, through a written declaration and signed by the individual.
Article 7.1 of the GDPR obligation provides a comprehensive list of the obvious way to be able to demonstrate this explicit consent in an accurate way and the recommendations by Article 29 Working Party – in its document “Guidelines on Consent under Regulation 2016/679”. At times, the EC may themselves make a decision, based on the rules of adequacy where it is declared that a non-EU State offers an adequate level of data protection thus allowing data to be transferred to an organisation within that country.
This would provide for less explicit requirements to gain consent and provide guarantees because such transfers are deemed to be to a “suitable” country with processes assimilated to that of data transmission and protection within the EU. In the absence of a decision of adequacy, the transfer can be made through the establishment of “adequate guarantees” provided the individual whose data is being transferred have enforceable rights and effective legal action.
Such adequate guarantees include, among others:
- in the case of businesses engaged in joint economic activity, those businesses can transfer personal data by “binding corporate rules”,
- contractual agreements with the recipients of personal data, for example, standard contractual clauses approved by the European Commission,
- adherence to agreed codes of conduct, certification mechanisms and binding and enforceable commitments assumed by the recipient about the application of adequate guarantees for the protection of the transferred data.
Finally, if a transfer of personal data is planned to a country that is not subject to any of the above adequacy provisions, and in the absence of adequate guarantees, the transfer can be made based on several exceptions in specific situations.
For example, when a person gives explicit consent to the proposed transfer after having received all the necessary information about the risks related to such transfer.
For international countries lacking the necessary adequacy provisions, you are required by the GDPR obligation to establish a framework of certification and adopt a code of conduct for your business to fulfil its responsibility in offering adequate guarantees to ensure no risk to the privacy of the owner of the personal information being transferred.
Business organisations are propelled to adopt the mechanisms set out by the GDPR obligation to obtain consent to comply with this new vision, to ensure that consent and permission is free, informed, specific, definite and explicit. Using tools that demonstrate individual consent so that there is entirely no doubt, is one of the most critical challenges that those responsible for the handling the data will have to assume in their organisation.
✓ Phishing, Ransomware, Online Fraud and Hacking
Cybercrime is growing globally, and a certain dystopia is emerging regarding how personal information is being mistreated thus creating victims of online fraud, hacking, phishing, ransomware. There has to be a corresponding rise in policing and fighting this abuse and harm against innocent individuals whose information is not adequately protected. In this regard, the GDPR obligation is a welcome unified model for everyone who processes customer data.
Most global organisations should have in place a structured plan and a good knowledge of the GDPR, and the consequences of non-compliance. GDPR obligation fines are high for businesses,
- Up to 4% of their annual revenue or
- Up to 20 million euros, or
- Whatever is higher.
Analysts estimate that GDPR obligation fines will continue to rise under the GDPR Regulations.
Fundamentally, what you need to be thinking about is how you look after the personal data that you use in your business, data that belongs to your customers, to your employees, as well as individuals and third parties. The three most essential elements to bear in mind are:
Being compliant, transparent and accountable for what you are doing with personal data and how you are managing the risks are all part and parcel of good business practice and ethics. Embracing the GDPR obligation ensures a well set up and legally compliant organisation in a modern and thoughtful business environment.
If you are not GDPR compliant, now is a good time to revisit your existing practices, to check that they are hitting the right notes and truly delivering on the requirements to manage the risks that you are taking with data. Many organisations have seen the GDPR obligation as a real challenge, and with good reason. As understanding how all the data is being used everywhere in your organisation can be difficult, with many different lines of business and many different conflicting priorities.
Instead of viewing the GDPR obligation as a tedious piece of the legislation see it as a huge opportunity to invoke trust in an increasingly complex digital world.
Why wouldn’t you want to reinforce and build the confidence of your customers that their data is being safeguarded in your organisation?
The action is necessary now, GDPR compliance is essential, and the correct approach must be taken. If you do not have the expertise in-house, GDPR obligation specialists such as Seers would be the ideal partner as they can ensure your business priorities for the GDPR obligation are achieved.