Privacy by Design and by Default




Privacy by Design

The concept of Privacy by Design has its origins in Canada, where it was set up in the 1990’s as a non regulatory software development framework. Its objective is to identify and prevent privacy problems before they happen.

The obligation of a Privacy by Design approach has been integrated into the European legal framework and is also an important element of OC 11.

OC 11 requires that:

  • Processing operations shall be designed and implemented in accordance with this Circular.
  • Service Owners shall keep detailed records of the privacy considerations that have been taken into account in the conception and design of the Processing operations.

Privacy by design is a concept that integrates data protection and privacy features into your system engineering, practices and procedures. It affects the creation and operation of new devices, IT systems, networked infrastructure, and even corporate policies.

Developing and integrating privacy solutions in the early phases of a project identifies any potential problems at an early stage to prevent them in the long run. It shouldn't be an afterthought or a supplement to your processes or infrastructure.

In Practise

Controlling services are encouraged to implement technical and organisational measures, at the earliest stages of the design of the processing operations, in such a way that safeguards privacy and data protection principles right from the start.

The very first step is to sketch the future processing activity by determining its overall purpose, the data required to achieve it and the underlying lawful basis, the expected life cylce of the data as well as the services involved in the processing.
A drafting of a data and/or workflow diagram might be useful in this phase.

The outcome of this first analysis should be documented in form of a RoPO, that is then used to perform a data privacy impact assessment (DPIA).
The DPIA will allow you to identify potential weaknesses and risks to your planned processing and to identify possible adaptations, mitigation measures and adequate safeguards.

You must keep a detailed record of these considerations and the actions that you have taken to make the processing operations compliant with OC 11. Please mind that you have to be able to demonstrate that you have fullfilled your responsibilities.