Today personal data are the new “oil”, they are among the most interesting source of income both for organizations and criminal activities, then, it is very important and necessary to protect them. In this context, the concept of privacy by design and privacy by default, has to be considered a mandatory solution.
The “privacy by design and privacy by default” is one of main new principles introduced by the EU Commission in the proposal of the new legal framework for the protection of personal data.
These principles represent the conceptual evolution of privacy since they explicate the inclusion of privacy into the design of the business processes and IT applications support, in order to include all the necessary security requirements at the initial implementation stages of such developments (privacy by design), or rather put in place mechanisms to ensure that only personal information needed for each specific purpose are processed “by default” (privacy by default).
The main principles are:
- proactive not reactive, preventative not remedial: explicit recognition of the value and benefits of proactively adopting strong privacy practices, early and consistently in order to prevent privacy risks from occurring (for example, preventing internal data breaches from happening);
- privacy as the default setting: the collection of personal information must be fair, lawful and limited to that which is necessary for the specified purposes. The design of programs, information and communications technologies, and systems, should begin with non-identifiable interactions and transactions, as the default. Wherever possible, identifiability, observability, and linkability of personal information should be minimized;
- privacy embedded into design: privacy is embedded into design of business processes, technologies, operations, and information architectures in a holistic, integrative and creative way;
- end-to-end security – full lifecycle protection: privacy must be continuously protected across the entire life-cycle of the personal data. There should be no gaps in either protection or accountability. The security has special relevance here because without strong security, there can be no privacy.
To summarize, Privacy must be approached through proactive measures, and not just in reaction to breaches or other faults and a good way to do this is to think about privacy issues from the very beginning of a service/product lifecycle, in the design phase. This makes the solutions to those issues much easier to implement and welcomed by the user.
So far a series of technical and/or procedural controls have been applied on services ex-post, in order to ensure compliance with the protection of personal data regulations. These measures have a limited scope compared to the protection of information during its entire life cycle. With the introduction of the concept of “privacy by design” we have a switching from a control-based approach to a risk- and process-based approach.