General 3min de Leitura - 21 de September de 2020

What does “privacy by design” mean and what is the relationship with the GDPR

This post is also available in: Português English Español

You probably have heard of the Brazilian GDPR, the General Law for the Protection of Personal Data, enacted in 2018 and which provides for greater vigilance and punishment in the case of misuse of data collected by companies and individuals for different purposes.

One of the principles of GDPR is to ensure data subjects privacy throughout the life cycle of the data, that is, from the moment of capture, processing and sharing, to the deletion of information from the company’s databases.

If you store or process personal data of customers, employees, third parties, etc., you must comply with the GDPR, which will come into force in August 2020.

And to understand a little more about the terminologies that gained strength with the emergence of GDPR, we developed this blog post that brings the meaning of privacy by design as well as its relationship with GDPR. Read on!

Origin of the concept “privacy by design”

“Privacy by definition”, in free translation, is a methodology created in the 90s by the Commissioner for Information and Privacy of Ontario, Canada, Dr. Ann Cavoukian. At that time, the specialist already imagined that the advancement of technology and ease of communication would enable an indiscriminate collection of personal information and, therefore, some concept should be applied so that corporations would understand and apply privacy rules in their solutions and products offered.

As of 2010, several entities around the world began to disseminate and apply these concepts, such as the European Data Protection Authority and the Federal Trade Commission in the United States. Privacy by design is currently incorporated into European data protection legislation (GDPR) and our General Data Protection Law (LGPD).

What does “privacy by design” really mean?

The idea of privacy by design is that companies incorporate this methodology in every conception of a product or service, placing privacy protection at the center of all development, including this idea among their values and guiding their ethical conduct.

For companies and users to understand and incorporate the ideas of privacy by design, the 7 pillars that form it must be taken into account.

1) Be proactive and not reactive – Prevention is better than cure

One should always anticipate and anticipate events that could compromise the user’s privacy. Thus, it is necessary to constantly monitor, analyze risks and develop corrections whenever any possible fault is identified, taking precautions to prevent it from occurring.

2) Privacy by default

The standard configuration of any service available to the user, should provide maximum protection to the user. He should not need to adjust any settings to ensure his privacy.

A simple example of a practical application of this principle may be the option of sharing your smartphone’s location. In order to comply with this principle, it should, by default, be configured not to perform this sharing in any way.

3) Privacy built into the project

Privacy should not be seen as an addition to the project. It is an inseparable part of the developed solution, conceived since its conception.

4) Full functionality – “Positive-Sum” instead of zero-sum

A positive-sum game is one in which everyone wins, unlike the zero-sum game, where for one to win, another must lose.

For the privacy by design methodology, data protection must be in line with the interests and objectives of those who use this information. Thus, there should not be, for example, an extra advantage or functionality for anyone who changes some privacy setting. All features must be complete and protected.

5) End-to-end security – Protection throughout the information lifecycle

All data must be secure from collection to destruction or sharing with a third party. Personal data cannot be forgotten on old devices or unused databases. Much less should they be allowed to be accessed by third parties without authorization.

6) Visibility and transparency

The data subject must always be allowed to know for what purpose his information is being collected, who has access to it and even have the possibility that independent entities can carry out audits to make sure that the information is being protected.

7) Respect for user privacy – User-centered solution

This is one of the basic precepts of privacy by design. The entire architecture and operability of the system or business practice must be centered on user privacy, always thinking about the complete protection of their data.

How do you know if your company is prepared for GDPR?

The General Data Protection Law is already a reality for companies that started the adaptation process and should be the center of attention from now on. Those who neglect it can suffer heavy fines and losses in the event of security breaches.

But, if you still don’t know how far your business is from compliance with the General Data Protection Law complete our free diagnosis. So you can identify if you are prepared to walk the path towards compliance with the law, and above that, ensure greater protection for your users and, of course, competitive advantage for your business.

This post is also available in: Português English Español