The term "Privacy by Design" essentially means data protection through technology design

Despite its long-standing recognition among EU member states, there remains uncertainty about the exact meaning, vague guidelines, and implementation of Privacy by Design (PbD). Privacy by Design has been frequently discussed in the context of the General Data Protection Regulation (GDPR), but never properly implemented. The GDPR emphasizes that responsible entities like TOMs (Technical and Organizational Measures) must define the means for processing data early in the design process to meet the principles of "Privacy by Design."

When was the term "Privacy by Design" coined? How far along are we from having a common understanding of what it should entail? And what are the current principles it entails?

The Origin of PbD

We interestingly know where the term computer bugs came from (For those who don't know, read on through this link, so why not learn where PbD came from? Before the concept of PbD was first proposed in the 1990s by Dr. Ann Cavoukian, who was the former Information and Privacy Commissioner of Ontario, Canada. She envisioned a world where privacy is embedded into every step of the way into technology, business practices, and networked infrastructure.

Dr. Cavoukian had been newly appointed as Privacy Commissioner, she worked a lot with lawyers who traditionally applied the law where there was a problem or a data breach. While she found the work already being done important, she also found that there could be ways to prevent the privacy harms from the source. In only three nights, she developed PbD, and took it to work to convince the lawyers as to how it could complement the regulatory compliance they already have set. This was taken from the interview "Talking with Dr. Ann Cavoukian, Privacy by Design inventor".

Understanding Privacy by Design

Privacy by Design is a proactive approach to privacy that aims to embed data protection into the technology itself at the outset, rather than taking a reactive approach. The proactive nature of PbD involves anticipating security risks that might not be so obvious and assessing the risks they pose before an issue or breach occurs. The integration of PbD into IT systems, business practices, operations, and network infrastructure emphasizes that privacy is not an optional or separate element but a solution from within. This integration ensures that privacy considerations are a standard part of the decision-making process in everything from software development to business processes and systems operations.

TOMs are a crucial aspect of this integration, providing the necessary tools and protocols to enforce privacy principles at every level of an organization.

Introduction to TOMs (Technical and Organizational Measures)

Technical and Organizational Measures (TOMs) are essential strategies and practices that organizations implement to ensure data protection and security. These measures encompass a wide range of actions, from technological solutions like encryption and access controls to organizational practices such as policies, procedures, and employee training. TOMs are closely related to Privacy by Design (PbD) as they provide the necessary tools and protocols to enforce privacy principles at every level of an organization. Although this article focuses on the foundational principles and implementation of PbD, a future article will delve deeper into TOMs and their role in data protection.

The 7 Foundational Principles

• Proactive not Reactive; Preventative not Remedial: Adopting a privacy-first perspective inherently promotes a preventative stance on data protection. This ensures that privacy concerns are addressed at the source, baking a data protection model directly into the code. As Dr. Ann Cavoukian said: "So I wanted a model that could be embedded into one’s operations, into the design, and bake it into the code.”
• Privacy as the Default Setting: PbD ensures that personal data are automatically protected in any IT system or business practice. No action is required on the part of the individual to protect their privacy.
• Privacy Embedded into Design: Privacy is an integral part of the system design. It's not seen as an add-on but embedded into the core functionality and thinking behind the decision-making of the design.
• Full Functionality — Positive-Sum, not Zero-Sum: PbD seeks to accommodate all legitimate interests and objectives. It avoids the pretense of false dichotomies, like the choice between privacy and security.
• End-to-End Security — Full Lifecycle Protection: PbD ensures secure lifecycle management of information, from collection to end-of-life. It guarantees strong security measures are in place throughout.
• Visibility and Transparency: PbD assures all stakeholders that whatever the business practice or technology involved, it is operating according to the stated promises and objectives. This highlights how transparent, open, and compliant the company is when dealing with clients' data.
• Respect for User Privacy: Above all, PbD requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendly options.

To learn more about the intricacies of the foundational principles, we recommend reading this paper written by Dr. Ann Cavoukian herself.

Conclusion

Privacy by Design remains an important framework that ensures the integration of privacy and data protection directly into the fabric of technologies and business practices. While we wait for a definitive common guideline to emerge, the current Privacy by Design framework ensures that we are on the right track. Any added security is peace of mind added and shouldn't be taken for granted. This article covered what PbD means, its origin, and founding principles. The upcoming articles will be more practical and will delve into how companies can implement these principles in practice. In a future article, we will explore TOMs in more detail and discuss their critical role in data protection. Stay tuned.