Privacy by Design – or by Disaster?

X-Archived    | September 8, 2017

Got any European business? If you do, the GDPR could trigger fines of 20 million euros against you after May 25, 2018, unless you’ve built the highest levels of privacy protections into your systems.

The General Data Protection Regulation (GDPR) protects individuals’ privacy and human rights, and comes into effect in May. It applies to EU-based companies, plus overseas companies doing business in the EU. The scope covers a broad range of personal data, for example, names, email addresses, social media, bank details or computer IP addresses.

For companies that don’t meet the GDPR, there are fines as high as 20 million euros or up to 4 percent of your annual worldwide profits – a big bite out of your bottom line. The good news is that there is a directive to guide you, known as Privacy by Design, or “PbD”.

Privacy by Design

Meeting GDPR means following the seven PbD principles that are included almost verbatim in the regulation.

1. Proactive not reactive; preventative not remedial Think of this as “privacy by design or disaster.” If you build appropriate privacy, encryption and overall cybersecurity into your products and services, you’re less likely to have the disaster-side breach that means fines, class-action lawsuits, and damage to your reputation.
2. Privacy as the default setting Most people don’t read EULAs or the lengthy legal documents from financial institutions. Make your offerings easier to use by defaulting to the highest levels of privacy and encryption, and ask clearly for specific permission to use the customer’s data for anything other than what they intend. For example, keep opt-in boxes empty so the distracted end-user doesn’t give permission by accident.
3. Privacy embedded into design How well are your apps and data-management systems encrypted? This needs to be a default, no-choice, built-in fact of all of your data architecture.
4. Full functionality – positive-sum, not zero-sum There’s an argument that full security and full privacy are not compatible, but it’s wrong – strong encryption lets you have both. What’s more, when your clients and customers know you’re using it, they’ll have a higher level of trust for you, and be more willing to share their data.
5. End-to-end security – full lifecycle protection With your system designed to respect and maintain privacy at every touch, what happens when you’re done with the data? From the moment a customer gives their name, to the closing of the account, you need to ensure their data is securely managed, and eventually, destroyed.
6. Visibility and transparency – keep it open Be able to demonstrate that you are using the data as it’s intended at every step. But you also need to be willing to share all the data you’ve collected about someone with that individual, because the data belongs to them. And being able to see it means they can correct inaccuracies, making it much more useful to you.
7. Respect for user privacy – keep it user-centric Being user-centric means that your company and data architects are proactive about protecting customer privacy. But incorporating strong data encryption and overall cybersecurity isn’t just about being safe. The investment in these technologies and practices will foster the respect and trust of your customers, which is a good thing no matter where you do business.