Suggested region and language based on your location

    Your current region and language

    Technology shopping digital device gadget concept. Happy young people buying a new smartphone in mobile shop.
    • Blog
      Digital Trust

    Emerging technologies: Embedding privacy by design

    “Privacy by design and default” is an inherent part of safeguarding and using data in ways that protect and enhance the privacy of individuals.

    “Privacy by design and default” is an inherent part of safeguarding and using data in ways that protect and enhance the privacy of individuals. The concept involves integrating privacy considerations into the early design, development, and implementation stages of system architecture, such that privacy is an intrinsic component and not a bolt-on. This helps to ensure that the collection, handling, and use of personal data (including potentially and sensitive data) is conducted in a privacy-conscious manner from the outset.

    Adopting this concept, organizations can build products and systems that prioritize privacy and data protection as integral enabling components, leading to cost savings, project efficiencies, and consumer goodwill. The main elements of privacy by design and default can be summarized as follows.

    Proactivity, not reactivity

    Traditionally, organizations would not have implemented privacy-protection tools from the outset, meaning that these tools were being factored in (if at all) only after architectures had been designed and project decisions made. Regulatory requirements, such as the General Data Protection Regulation (GDPR) in the EU or the UK Data Protection Act, mean that data-protection compliance and privacy measures should not be treated as an add-on. The traditional reactive approach has led to security vulnerabilities, potential legal issues, and increased project costs and slippages due to significant changes to already-established architectures, solution designs, system implementations, and business processes.

    On the flip side, proactively implementing privacy by design can lead to cost savings, greater user trust, and fewer data breaches. For instance, consider a new mobile application: the development team has scope to incorporate measures such as consent pop-ups or conspicuous privacy notices prior to initiating any data collection or processing actions.

    Privacy as the default

    Start with “privacy preserving” as the default setting for users. For example, a social media platform can set user profiles to private by default, and these profiles will not be published or uniquely identifiable to the wider internet. Media platforms have been known to not do that from the outset to promulgate user use and accessibility, but this has led to an increased risk of compromised user data without users even knowing. Allowing users to choose to make their information public if they wish, rather than having them automatically public, is a core privacy-by-design principle.

    Full functionality

    Full functionality means that the system performs all intended functions without any significant drawbacks or restrictions, even with privacy-enhancing and privacy-protecting measures fully implemented. This applies to all privacy-protecting measures within the supply chain and within system design and to all user-oriented decisions.

    For instance, in the context of product returns, full functionality involves efficiently safeguarding sensitive information held by third-party couriers. Achieving full functionality would ideally result in a system that is as usable, if not more usable, than before, minimizing required user input and providing clear communications about the necessary data and its purpose to achieve a successful return.

    End-to-end security

    Keeping things safe and secure is a fundamental element of privacy by design. As an example, messaging applications and email services now typically implement end-to-end encryption. This serves to protect user messages from unauthorized access while ensuring the seamless communication and ease of use for both senders and recipients. This is a win-win for privacy and indeed user experience but must be balanced with other considerations, such as national security and eDiscovery.

    Visibility and transparency

    Ensuring that clear and understandable information is provided to users about how their data is collected, used, and shared is paramount. Take an e-commerce website: pop-ups are there to explain what personal information is collected and how cookies and personal data might be used, and when you import it, it may be used for order processing or shared with third parties for logistics or return fulfilments.

    Minimizing what you collect, informing your customers by adopting a transparency-first approach, and giving them control where possible mean that you are putting the user first. People naturally feel empowered when given the opportunity to influence outcomes, and this includes having information about the use of and control over their own personal data. This in turn will lead to a positive customer experience and enhanced organizational trust.

    Visit BSI’s Experts Corner for more insights from our industry experts. Subscribe to our Experts Corner-2-Go LinkedIn newsletters for a roundup of the latest thought leadership content: Digital TrustEHS, and supply chain.