GDPR (22) The future – privacy by design
As we reach the end of our long journey through the world of data protection, we have one final aspect to consider: privacy by design. The legislature wants all processors to take the right to privacy into consideration when they start planning personal data processing operations in future.
The GDPR drafters assume that we will develop some kind of privacy reflex. If we do, the legal requirements will become a natural, self-evident aspect of building an application or configuring a website, or, equally, organising a survey or setting up a scientific study.
It is best not to collect or process personal data except where necessary. And even when we do have a good reason to collect and process such data, we need to limit processing operations to those that are strictly required. All new initiatives therefore require plenty of thought.
- While it may have been considered advisable in the past to add more attributes or fields to a file when performing an analysis for a new application or designing a database, on the basis that they might come in handy in future, today it is more important that the amount of data is minimised and geared to the specific purpose for which the data will be processed.
- It is advisable to include information in a database to indicate when a specific piece of data is out-of-date or obsolete, or simply may not be kept any longer. This makes it easy to delete data systematically when no longer needed or if we are no longer able to guarantee the data’s accuracy.
In future, applications might contain a functionality to guarantee the data subject’s rights and make it easier for these rights to be exercised in practice.
- Whenever an application requests personal data from data subjects, information about the purpose for which this is done, the duration of the processing operation, the risks entailed and the protection measures must be made available at the same time. A smartphone app that records athletic performance, for example, must provide the data subject with adequate information about the data it collects and stores in the background, and what the builder of the app intends to do with the data, before he or she uses the app for the first time. It should be possible to incorporate this in a convenient manner in app user interfaces.
- In the same way, everyone attempting to gather data through a website must immediately provide clear background information on the processing operations. Such information must be provided in a timely manner. Distinctions must be drawn between different potential purposes insofar as possible.
- Future applications could also include a functionality that allows data subjects to view their data, and, if the situation permits, rectify, supplement or delete the data. Of course, this is only possible if the data subject’s rights do not conflict with other interests.
Privacy by design also means that when an application is designed, the best ways to protect the data are considered from the outset.
- For example, you can build the application in such a way that everything is encrypted where possible. A website can use encryption protocols such as https, and data can be exchanged by means of encrypted files sent through encrypted channels. If any data have to be kept for some time following a processing operation, they can also be kept in an encrypted file, for example in a secure digital archive. All of these measures reduce the risk that data will be made public or fall into the wrong hands. Taking such measures into consideration from the start of the design phase will work out much cheaper than having to make changes later on.
- Another measure that may also be considered in some circumstances is data pseudonymisation. As we explained in an earlier instalment of this blog, this means removing the direct references to specific individuals from the files. It also reduces the risk of infringements in the event of a mishap involving a file.
This brings us to privacy by default. What this means is that whenever an application allows the user to choose whether or not to make data public, share data with others or make data available for certain types of processing operations or future communication, the standard settings of that application must always be its most secure settings. These settings are changed only if the user actively performs a procedure (such as ticking a box or clicking on a button to indicate consent).
As you can see, maximum data privacy can be ensured using all kinds of measures, which the GDPR encourages everyone to apply at all times and to the greatest extent possible. Data privacy is therefore not a stand-alone subject for a topical project that we can soon forget; on the contrary, it is a matter of constant concern.
The future will show how large and small businesses, individual data subjects (who may be goaded into action by consumer organisations or trade unions), the supervisory authorities and the EU itself will deal with the GDPR. There will no doubt be some complex disputes for the courts to deal with. It is therefore hard to predict what the answers will be to the many questions that still remain at this time. One thing is clear, however: data privacy is something that needs to be taken into consideration and this will most probably always be the case.
And so even though this is the final instalment of this blog, there will no doubt be opportunities in future to announce news, share tips and report on interesting debates and developments. In the meantime, I hope that this blog has helped in some way to ensure the theme of data privacy receives the attention it is due within our society. At Group Joos in any event, we make a point of being ready to treat the personal data of our customers, our contacts, our visitors and our own employees with the respect that they deserve.
Viktor D’Huys is the ICT manager of Group Joos. He is responsible for matters including data security and the coordination of the GDPR project. He is a Certified Information Security Manager (CISM certified by the ISACA) and has been awarded the CIPP/E (Certified Information Privacy Professional/Europe) credential by the IAPP (International Association of Privacy Professionals).
If you have any questions or comments, please write to us at firstname.lastname@example.org.