The Seven Principles of Privacy By Design

Posted on September 27, 2021 - by Sarah Berthiaume - in Trends in InfoSec

privacy by design seven principles

Privacy by Design (PbD) is an approach in technology and policy development that holistically aims to embed privacy into the earliest phase of the development lifecycle. It establishes that whenever you are developing a new product, system, or process which processes personal information, then privacy should be at the forefront and baked into its design at the beginning of its lifecycle.

In the 1990s, Ann Cavoukian, former Information and Privacy Commissioner for the Province of Ontario, developed Privacy by Design to incorporate privacy into technologies practices and procedures. Cavoukian’s seven principles continue to influence privacy regulations and frameworks around the world, shaping discussions about Privacy by Design into 2021.

Organizations implement PbD with the primary goal of protecting the privacy of individuals and service users. Concepts from Privacy by Design have also worked their way into data protection regulations across the globe, such as Article 25 in the GDPR about Data Protection by Design and Default.

Here we’ll look at the seven principles of Privacy by Design, which will give you a basic understanding of how you can incorporate this concept for data protection in your business.

1. Privacy is Proactive Not Reactive

This framework aims to endorse strong privacy practices at the outset. When dealing with privacy breaches in the form of a data breach, Privacy by Design intends to avoid a reactive approach by remediating damage only after an event occurs. Instead, the idea is to implement preventative measures at the outset and prevent a data breach from occurring in the first place. Implementing proactive PbD means being prepared for potential disasters before they occur by identifying potential threats and anticipating their occurrence to take appropriate action. 

2. Privacy as the Default Setting

This principle sets out the default rules by which data should be collected, retained, used, and eventually destroyed to ensure privacy is at the center of an organization’s data collection and use practices. The Global Privacy Standard Fair Information Practices inform the PbD framework regarding Purpose Specification; Collection Limitation; Data Minimization; Use, Retention and Disclosure Limitation among others later discussed.

When you collect data from individuals, you must do so only with a specific purpose limited to the activity for which the individual has consented. Only necessary data for those purposes should be collected. You should minimize the ability to link categories and types of personal data at all costs. You should only retain personal information as long as necessary to complete the activity for which the data was originally collected before it is securely destroyed. With privacy as the default setting, data should automatically be protected in all practices without needing additonal actions by individuals. 

3. Privacy Embedded into Design

Privacy is not a function that is added after the fact; it is embedded into the design and infrastructure of systems and business practices. Privacy is an essential component of systems even before they roll out and should maintain optimal functionality. 

To have privacy embedded into the design of a venture or project means ensuring the proper privacy compliance safeguards are in place. Be sure to make privacy impact assessments and risk assessments a part of that goal. They will help you to measure privacy and security risk and to mitigate any potential breaches of privacy.

4. Full Functionality (Positive-sum, not Zero-sum)

Privacy by design aims to avoid unnecessary trade-offs or compromises between other systems and practices throughout its implementation. It operates as a benefit and in concert with the systems with which it is embedded. It offers full functionality for both in a positive-sum environment. 

For example, security and privacy should exist and function at total capacity together in tandem without causing difficulty to their operations. 

5. End-to-End Protection – Lifecycle Security

Having privacy embedded into the design of systems or practices means keeping personal information protected throughout the lifecycle of its processing. Processing activities include collecting, storing, retaining, using, and eventually disposing of personal information. According to Ann Cavoukian in Privacy by Design: The 7 Foundational Principles, the “Security” principle is fundamental because privacy cannot be guaranteed without solid security. The two principles included are:

  • Security: Responsibility for security over personal information.

6. Visibility and Transparency

This principle enables organizations to garner trust by showing accountability for their personal information processing activities. It ensures that organizations engaging in the processing do so according to the stated purposes and that individuals are made fully aware of those purposes. Accountability is measured through verification by documentation of policies and procedures.

When transferring data between third parties, the proper measures of protection are adapted. Information about policies and procedures are made available with the Openness practice principle. Rectification measures are made available to strengthen the ability to adhere to compliance standards. When applying this principle, compliance with privacy policies and procedures is monitored, evaluated, and verified. 

7. Respect for User Privacy (Keep it User-Centric)

The individual is at the forefront of all privacy-related concerns and decision-making. In keeping decisions focused on the user, the Privacy by Design framework aims to give users more control over what happens to their personal information. This should be done with respect for rights and notices, as well as through offering options that suit the needs of individual users. 

Consent is required from the individual before any data processing activities occur. All personal information must be kept accurate. Individuals have a right to access their information. They may challenge its accuracy and have it changed if necessary. 

Ann Cavoukian also proposed the need for “human-machine interfaces to be human centered, user-centric and user friendly so that informed privacy decisions may be reliably exercised.”

As a framework that encourages privacy from the outset, Privacy by Design offers a guideline to embedding privacy into your enterprise goals while keeping two main objectives in mind: privacy as the default and keeping the user’s needs in focus.

Putting Privacy First with Securicy

The principles of Privacy by Design are essential to building, implementing and maintaining a robust security program. Requirements for security laws like GDPR are modeled after the seven principles of Privacy by design. If you are looking to achieve multi-compliance with industry security standards and laws, book a demo and talk with our team of security experts.

About the author

Sarah Berthiaume is an intern Cyber Security Analyst and content provider for Securicy’s blog. She enjoys volunteering in her community and making a difference in social service. Her true passions are her family, technology, writing, and art. She hails from Sydney, Nova Scotia with her two beautiful children and her adorable cats.