During last years there has been an increase on variety and amount of data available, a development of channels to access data and a business globalization.
This situation has created a data governance and compliance complexity, besides a growth of potential threats to confidentiality requirements, integrity and availability of information.
In this context the need to increase the protection of personal data and respond properly to new operational needs of companies has arisen.
A very important approach for personal data management and protection, to be adopted in this context, is the “Privacy by Design” principle.
This principle was theorized, for the first time, by “Information and Privacy Commissioner of Ontario” and officially recognized in 2010 by the 32nd International Conference of Trustees privacy.
In its first edition, the Privacy by Design principle was described by seven main characteristics:
1. proactivity instead of reactivity: preventing rather than remedying;
2. privacy protection since the default configuration;
3. protection of privacy since the design of systems and business processes;
4. ensure the full functionality without ignoring the protection of personal data;
5. end-to-end security for the entire information lifecycle;
6. visibility and Transparency;
7. respect for user privacy via a User-Centric Approach.
Now the Privacy by Design principle has been introduced in the new General Data Protection Regulation with the name “Data Protection by design and by default”.
In particular within the General Data Protection Regulation, the related article “Data protection by design and by default” requires that: “…the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymisation, which are designed to implement data protection principles, such as data minimization, in an effective way and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
An approach that could be adopted in order to address this requirement could be to have the privacy and protection of personal data considered within each project (both structural and conceptual) already from the design stage. As a matter of fact the data protection by design principle could be applied to IT systems, business processes and also to structural design of building and infrastructure. The General Data Protection Regulation associates the data protection by design to the “data protection by default” principle. This principle enforces the personal data protection stating that, by default, companies should treat only the personal information to the extent necessary for their intended purposes, for a period strictly necessary for such purposes (minimization principle) and they should ensure that personal data will not be made accessible to an indefinite number of people.
In order to respond adequately to the data protection by design principle, it will be necessary to evaluate the privacy risk whenever a new process is defined or a new system is implemented and it will be necessary re-engineer business processes including, if necessary, specific organizational and / or technology measures.