Privacy by Design
The concept that organizations need to build privacy directly into technology, systems and practices at the design phase, thereby ensuring the existence of privacy from the outset. Originating in the mid-1990s by the Information and Privacy Commissioner of Ontario, the principle has gained recognition around the globe, including from the U.S. Federal Trade Commission and the European Commission. Privacy by Design consists of seven foundational principles: (1) Proactive not Reactive; Preventative not Remedial. Privacy by Design anticipates and prevents privacy invasive events before they happen, rather than waiting for privacy risks to materialize; (2) Privacy as the Default Setting. No action is required by individuals to maintain their privacy; it is built into the system by default. This concept has been introduced in the European Commission’s draft regulation to reform data protection. (3) Privacy Embedded into Design. Privacy is an essential component of the core functionality being designed and delivered. The FTC has adopted this principle in its proposed consumer privacy framework, calling for companies to promote consumer privacy throughout the organization and at every stage of product development. (4) Full Functionality—Positive-Sum, not Zero-Sum: Privacy by Design seeks to accommodate all legitimate interests and objectives, rather than making unnecessary trade-offs. (5) End-to-End Security—Full Lifecycle Protection. Strong security measures are essential to privacy, from start to finish of the lifecycle of data. This is another principle the FTC has adopted in its proposed consumer privacy framework. (6) Visibility and Transparency—Keep it Open. Privacy by Design seeks to assure all stakeholders that whatever the business practice or technology involved, it is in fact, operating according to the stated promises and objectives, subject to independent verification. Its component parts and operations remain visible and transparent, to users and providers alike. Remember, trust but verify. (7) Respect for User Privacy—Keep it User-Centric. Above all, Privacy by Design requires architects and operators to keep the interests of the individual uppermost by offering such measures as strong privacy defaults, appropriate notice, and empowering user-friendlyoptions. Keep it user-centric.
Reference(s) in IAPP Certification Textbooks: F14-15, 128; US21; M88-90, 121-122