Privacy by Design: Essential Guide for Small Business Owners

They say it’s better to get your ducks in a row before starting anything and the GDPR agrees regarding data privacy. That may be a hyperbole, but GDPR’s Privacy by Design is an approach that encourages organizations to consider privacy, right from the beginning, rather than as an afterthought. 

To cite a recent example of why Privacy by Design is important, in November 2022, the Irish Data Protection Authority imposed a €265 million fine against Meta and argued that the company failed to comply with GDPR’s privacy by design and default. 

So, what does Privacy by Design and Default mean for your business and why does it matter to your consumers? Let’s take a look.

Privacy by Design (PbD) found its first mention in a 2009 report published by Ontario’s Information and Privacy Commissioner, Ann Cavoukian. The report defines Privacy by Design as the “philosophy and approach of embedding privacy into the design specifications of various technologies.” It emphasises the need to incorporate data protection practices into projects and decisions at the outset and to take a proactive approach to privacy.

A 2022 research by Google and Ipsos found that the negative impact of a poor privacy experience is almost as severe as that of a data breach. 43% of people said that they will switch from a preferred brand to another if the latter provided a good privacy experience. 

The demands for data privacy are growing and there seems to be no turning back. It is no longer just related to regulatory compliance but has become a competitive differentiator for many businesses. 

For businesses, the Privacy by Design approach is essential and can:

• Make compliance with global privacy regulations easier 
• Keep critical data safe and avoid regulatory fines 
• Avoid risk to brand reputation from violations
• Gain a competitive edge and build consumers’ trust

So, is your business to evaluate your data protection strategy and rethink privacy by design? Let’s start by understanding the foundational principles of the PbD approach. 

The 7 foundational principles of Privacy by Design set out by Ann Cavoukian are:

1. Proactive not reactive; preventative not remedial

Organizations should take a proactive rather than reactive approach. Instead of responding to privacy violations and data breaches, businesses should actively implement procedures, monitor risks and integrate secure practices to identify and mitigate privacy risks before they happen.

2. Privacy as the default setting

Companies can design their system with privacy-by-default features such as data minimization and data encryption so that minimal effort is required to uphold privacy and there is little scope for possible misuse of the data.  Your consumers shouldn’t have to worry about their privacy settings and data when they use your products or services. 

3. Privacy embedded into design

Privacy should be a part of the discussion from the initial stages of a product’s development and design i.e. businesses should take a privacy-first approach. By incorporating privacy at the get-go, you can ensure that the product is built for compliance and can eliminate the need for adding privacy features and functions to existing systems. 

4. Full functionality – positive-sum, not zero-sum

Privacy is a positive-sum goal, not a zero-sum goal. Companies should avoid the false idea of trade-offs between privacy and other functionalities and showcase that it is possible to have both. There should be no compromises made with respect to privacy for providing services. For instance, limiting access to certain features by forcing users to provide their data is an unethical practice.

5. End-to-end security – lifecycle protection

Privacy by Design prioritises the security of user data throughout its lifecycle, from data collecting to sharing it with third parties and its deletion. Strong security measures are essential to privacy, from start to finish.

6. Visibility and transparency

All stakeholders including users need to be assured that the systems and technologies used are privacy-friendly. Businesses need to implement transparency by documenting and communicating actions clearly, and consistently through privacy policies. Companies should provide access to users’ data and any request for information through user-friendly platforms.

7. Respect for user privacy

This principle sums up the core idea of all the other principles. Privacy by Design requires businesses to keep the interests of their users by implementing strong privacy-by-default safeguards, user-friendly options and empowering users with transparency. 

The concept of PbD found a resurgence when the General Data Protection Regulation introduced it within its pages. Article 25, GDPR speaks about ‘Data protection by design and by default’.

What does “Data protection by design and by default” require? 

• Implement appropriate technical and organisational measures to protect users’ data.
• Integrate data privacy safeguards to protect data subjects’ rights in accordance with GDPR.
• Process only as much data as is necessary for the purpose it was collected, store data only as long as it is required and make it accessible only to the relevant personnel.

What do ‘by design’ and ‘by default’ mean?

Data protection ‘by design’ means that the data protection rules are taken into account at the early stages of a business, when designing IT systems and processes, such as encryption and pseudonymization.

Data protection ‘by default’ means that personal data is not processed unnecessarily and is processed in the most privacy-friendly manner such as limited data collection, and no automatic opt-in or pre-checked boxes.

Who is responsible for implementation? 

Data controllers (i.e. any organization that processes the personal data of users in the EU. Data processors are not specifically mentioned in Article 25, however, controllers must only use data processors who provide sufficient guarantees (as per Article 28) to meet the requirements of data protection by design and by default.

When is the principle to be applied? 

The principle of data protection by design and default is to be applied:

• During the design phase, “at the time of the determination of the means for processing” i.e at the stage of identifying the intended processing activities.
• During the entire lifecycle, “at the time of the processing itself” i.e. i.e from data collection to deletion.

What are technical and organizational measures to be implemented?

GDPR does not define a ‘one size fits all’ method for technical and organisational measures. Businesses should take into account the following considerations before applying technical and organizational measures:

• The costs of implementation of any measures
• The nature, scope, context, and purpose of your processing
• The risks your processing poses to the rights and freedoms of data subjects

Some examples of technical and organizational measures include:

• Minimizing personal data processing
• Anonymizing personal data
• Ensuring transparency through policies
• Implementing security safeguards

There are no one-size-fits-everyone or universal measures to achieve Privacy by design. Here is a Privacy By Design checklist to incorporate into your organisation’s framework.

Privacy By Design Checklist

• Take a ‘privacy-first’ stance. When developing the default settings of new systems and applications, make sure to consider data protection safeguards as early as possible in the product-development lifecycle. 
• Audit and map all personal data. Assess the categories of data you collect, store and process and catalogue them. Audit all organisational processes and the way personal data is processed within the organisation.
• Anonymise personal data. De-identify personal data from direct and indirect indicators that may lead to identification. Take efforts to incorporate anonymization and pseudonymization into your product development plans and roadmaps.
• Implement security controls. Apply access controls, encryption, and secure storage to protect personal data against unauthorized access, use, and disclosure. 
• Have agreements with third parties. Ensure your partners, vendors and third parties you conduct business with implement technical and organizational measures for data protection.
• Implement additional provisions for sensitive data. If you process “special categories” of personal data, implement additional provisions such as acquiring parental consent, or appointing a Data Protection Officer (DPO).
• Empower users to exercise their rights. Provide individuals with easy means to exercise their data privacy rights to access, delete, export and update data.
• Prepare for privacy incidents. Draw up a plan to respond to incidents such as data breaches and practice it with test incidents and scenarios.
• Document and demonstrate. Record all steps taken and demonstrate your data protection strategy to the data protection authorities or an internal DPO.
• Conduct regular reviews. Perform regular reviews to ensure that privacy and data protection measures remain effective and that any new changes do not compromise privacy.
• Leverage automation. Businesses should employ simple, automated systems for data privacy controls using tools like CookieYes CMP so that they can easily stay compliant without adding friction for employees.

Both privacy by design and privacy by default go hand in hand to ensure that users have more control over their personal data. Here’s how you can implement privacy by default in your business.

Privacy by Default Checklist

• Minimise data collection. Only collect the personal data that is strictly necessary to achieve a specific, documented goal and limit access to personal data to those doing the processing.
• Develop transparent privacy policies. Be transparent in your privacy policy and data sharing policy and update them to address any changes. Avoid legalese and inform your users about your data privacy practices and why it matters.

• Inform users with ‘just-in-time’ notices. Explain to your users about the personal data you collect from them, and how it will and will not be used.

• Implement opt-in consent. When collecting personal data, request the user consent via cookie consent banners and opt-in checkboxes.

• Offer user-friendly, granular control. Give users granular control over their data and provide them with the option to exercise choices and easily withdraw consent.

Privacy by design and privacy by default are two integral approaches in data privacy frameworks and regulations. As countries across the globe continually pass new privacy laws and compliance measures, it is important that businesses incorporate privacy protection into the core of their development process as well as throughout their lifecycle to ensure compliance and build consumer confidence.

It’s time to empower your consumers with control over their data and to foster a strong relationship built on trust and respect for privacy. Take the first step today and evaluate your website’s current privacy practices against Privacy by Design principles and incorporate them into your online business.

What is meant by Privacy by Design?

Privacy by design is an approach that aims to embed privacy and data protection into the design and architecture of a system, product, or service, rather than treating them as an add-on at later stages. 

The concept was developed in the 1990s by Ann Cavoukian, the former Information and Privacy Commissioner of Ontario, Canada. It has since been adopted by many organizations and accommodated into data protection regulations around the world. 

What is Privacy by Design vs Privacy by Default?

Privacy by Design and Privacy by Default are two approaches or frameworks to data protection and privacy, that are also underlined in privacy laws like the GDPR (EU) and LGPD (Brazil).

Privacy by Design (PbD) is a framework that emphasizes the importance of integrating privacy and data protection measures throughout the entire development process of any product, service or system. 

Privacy by Default refers to a framework that focuses on enabling default privacy settings to any product, service or system so that users don’t have to take any extra steps or change any settings to protect their personal data.

What is an example of Privacy by Design?

An example of Privacy by Design is the “Do Not Track” (DNT) feature in web browsers. DNT allows users to communicate their preference to opt out of online tracking by sending a signal to websites. DNT lets websites know that the user does not want their browsing activity to be tracked. This feature was embedded within browsers to give users more control over their online privacy.

Is Privacy by Design required by GDPR?

Yes, Privacy by Design is required under the General Data Protection Regulation (GDPR). Article 25 of the GDPR, titled “Data Protection by Design and by Default,” states that data controllers should implement appropriate technical and organizational measures to ensure that data processing is in compliance with the regulation (data protection by design).

Data controllers should implement privacy-friendly default settings and only process the data that is necessary, for a limited time period and ensure that data isn’t made accessible to an indefinite number of persons. (data protection by design).

UK’s data protection authority, ICO states that Privacy by Design:

 “…encourages organisations to ensure that privacy and data protection is the key consideration in the early stages of any project and throughout its life cycle.”