Privacy by Design, loosely translated as “privacy by design”, is directly linked to the protection and privacy of individuals. This terminology gained strength in Brazil with the emergence of the General Data Protection Law – LGPD. Basically, the concept of Privacy by Design is understood as the application of technical measures to guarantee and protect user privacy, from the moment a product or service is designed that involves the collection of personal data. Thinking about the importance of the topic for those who work with Information Technology (IT), in this article we will address the application of the concept incorporated into the development of products and services, the pillars that form it, and its relationship with the General Data Protection Law. Data. Read on!
What is Privacy By Design? For Bioni (2019, p.84), Privacy by Design “is the idea that the protection of personal data should guide the design of a product or services, and they should be embedded with technologies that facilitate data control and protection personal." But anyone who thinks that the term emerged recently is mistaken! In the 90s, the Privacy by Design methodology was created, which gained greater visibility with the creation of data protection regulations. The pioneer on the subject, Ann Cavoukian, former Canadian Commissioner for Information and Privacy, established principles to be treated as a basis for application. Thus, the concept demonstrates two important issues: the importance of implementing privacy settings by default; the need to apply proactive measures and ensure transparency with the data subject about the purpose of collecting personal data. “Whatever system is involved, Privacy by Design requires you to build it from the ground up, with privacy as the default setting.” - Ann Cavoukian.
Integrating privacy measures at the beginning of a project is related to identifying potential problems at an introductory stage. This way, this step can avoid future negative consequences.
The 7 pillars of Privacy By design To understand the application of the Privacy by Design concept, it is necessary to know the 7 pillars that form it. Let's discuss a little about each of them below.
Proactive and not reactive The aim is to think about possible problems in advance, preventing them from happening, looking for solutions, ensuring that, when a certain product or service is implemented, possible risks have already been addressed. Privacy by default This principle establishes that the protection of personal data automatically occurs in any process in a given product or service. This ensures that the user does not need to worry about protecting their own privacy, as the product or process was created with security in mind.
Privacy incorporated into the project User privacy should, in no way, be thought of as an additional element, but rather as part of what is being developed and implemented. Full functionality Also called “positive-sum instead of zero-sum”, it establishes that all functionalities must be complete and protected, generating benefits for both the owner and the company. End-to-end security It is necessary to think about data privacy at every stage. Thus, protection is guaranteed throughout the entire life cycle of data: at the time of collection, during processing and storage, until disposal. Visibility and transparency This can be considered as one of the most important pillars, in which transparency must be guaranteed to the data subject, so that they are always informed about the purpose of using personal data.
Respect for user privacy The product or service must be centered directly on the user, and all functionality must aim to guarantee the security of personal data. What is Privacy by Design in the LGPD?
The LGPD does not directly mention the term Privacy by Design in its text. However, this legislation is directly related to the provisions of article 46: “Art. 46. Processing agents must adopt security, technical and administrative measures capable of protecting personal data from unauthorized access and accidental or unlawful situations of destruction, loss, alteration, communication or any form of inappropriate or unlawful processing.
(…) § 2 The measures referred to in the caput of this article must be observed from the design phase of the product or service until its execution.” Thus, we can understand that the Privacy by Design concept is related to the application of security measures to protect personal data. Therefore, from the beginning of the design of a product and service, privacy must be considered, thus ensuring compliance with the provisions of the article. Furthermore, the adoption of measures to ensure data privacy from design can be seen as a demonstration that the company is compliant with the LGPD. This precaution avoids the imposition of fines and the occurrence of security incidents involving personal data. What is the difference between Privacy by Design and Privacy by default?
We can say that Privacy by Default is part of and directly linked to Privacy by Design. This is because, one of the ways to guarantee privacy from the moment of creation, is that the product or service, when directed to the user, has all the measures implemented to guarantee data protection.
Regarding this issue, Pinheiros (2018) points out: “We can say that Privacy by Design is a result of Privacy by Default. In other words, it is the idea that the product or service is launched and received by the user with all the safeguards that were designed during its development. The principle of data protection by default is to recognize the minimum necessary in relation to the data (for the purposes of the intended processing), prohibiting that data from exceeding such purposes.” (PINHEIROS, 2018, p.399). In other words, when the product or service is launched to the public, the security and data protection settings must be applied as a standard measure. In such a way that only strictly necessary data is collected.
Furthermore, the user must be given the autonomy to, if they wish, voluntarily enable privacy-related settings and functionalities. Conclusion In short, the famous phrase created by London mathematician Clive Humby “data is the name oil”, becomes increasingly real, given that companies use data as a source of revenue, directly or indirectly. Therefore, it becomes increasingly necessary to create regulations to protect data, giving the holder autonomy over their information. Therefore, it is up to companies to implement measures to ensure that their products and services comply with new regulations, guaranteeing the right to privacy for data subjects.
It is also interesting to highlight that the application of Privacy by Design can be seen as a competitive differentiator. After all, companies that use measures that guarantee user privacy reinforce their commitment and concern for their well-being. In this way, the trust of all customers is strengthened through the transparency adopted.
Therefore, the implementation of the Privacy by Design concept not only guarantees compliance with legislation, but can also be seen as a competitive differentiator, strengthening users' trust through the transparency adopted. Did you like to know a little more about Privacy by Design and its main implications?
Check out more content like this on our blog!
Want to be our next Tech Writer? Check out our vacancies on the Career page!