Privacy by design: Securing ecosystems from the outset

Privacy cannot be looked at as an after-thought or a feature but as an integral part of a product lifecycle. Privacy by design means that protection of personal data is thought off at the design stage by the technology engineers. The idea that is prevalent here is that data will remain protected during any data processing lifecycle as the feature which is in-built in the technology ab initio.

Key features of Privacy by Design

1.  It is proactive, and not remedial

Organisations must have security measures and controls as an embedded feature such that it protects the privacy of an individual from the outset and not as a remedial feature, to be applied only when the organisation has suffered a breach. As privacy and data protection will be integrated into the product from a proactive perspective, it becomes a priority from inception.

2. Privacy has to be a default feature

This principle works in such a way that it ensures the protection of personal data as a default feature within any organisation. This way, individuals need not be concerned about the responsibility of securing their own data because privacy by default helps in preserving the security of the system.

3. Privacy must be embedded into the design

Privacy by Design must be embedded into the design and architectural infrastructure of the IT systems. Privacy cannot be taken as an add-on feature but an essential core component. One must note that privacy is an integral part of a system, and it does not in any way attenuates the functionality of the system.

4. Privacy by design as a non-negotiable factor

Maintaining privacy as a feature in the architectural structure of the organisational IT systems should not be a trade-off between either privacy or functionality. If a system has to undergo any compromise, the system may not be as efficacious as it should be.

5. An end-to-end protection

Privacy by Design takes security from beginning to end as a key consideration. This means that data must be protected at every stage of the processing: collection, storage, processing, and disposal. Moreover, the parties involved, whose data is being processed, must have the visibility to know how the data moves through this lifecycle. To ensure that any system is effective and safeguarded, accountability and compliance are required.

6.Respecting the user’s right to privacy

As any organisation dealing with their customer’s private and sensitive private information is under the risk of facing a data breach that could lead to major financial and reputation loss, they must safeguard their customer’s data and ensure it is high on their list of concerns. The systems must be optimised to help users navigate it easily and effectively, while they traverse through this lifecycle with the implicit trust that their data is secure. Therefore, while building the applications and systems, the technical team should be aware about the rights of individuals and accordingly configure systems to address the requirements.

Privacy by Design as per India’s Draft Personal Data Protection Bill 2019

Privacy by design is one of the key requirements of the recently released draft version of India's Personal Data Protection Bill of 2019. The bill mentions that every Data fiduciary should prepare a privacy by design policy, which covers certain aspects such as,

1. the practices and systems designed,
2. the technologies used,
3. the legitimate interests of businesses,
4. how data is protected during the lifecycle, and,
5. demonstration of transparency principle to showcase the measures being taken to prevent any harm to the individual.

What can organisations do?

• Impart privacy by design training to staff to identify and consider data protection issues from the start of any processing activity and adopt appropriate technical and organisational measures to safeguard personal data from unauthorized use, access and disclosure.
• Conduct a data protection impact assessment for all new kinds of processing of personal data to ensure that the data is being processed for the specific purpose for which it was collected, and retained for the duration it is required for the business purpose. It must be protected during the data lifecycle and securely disposed of once the usage is complete.
• Ensure that security controls are considered during the design of the product on the basis of the nature of processing such as role-based access controls, data encryption at rest/transit/storage, data classification, anonymisation, pseudonymisation, etc.
• Perform a thorough due diligence of envisaged third parties, i.e. data processors, to ensure that appropriate organisational, security, technical, physical controls are implemented to prevent any likelihood of harm to the data principle. The data should be transferred only when an organisation ascertains that appropriate controls, basis the nature of processing, are implemented.

Conclusion

As organisations have begun their journey to collect data from numerous sources, specifically for the purposes of customer profiling and analytics to provide customised services or target a particular set of audience to gain competitive advantage, embedding privacy by design into their processes has become a necessary task. Moreover, failure to implement sufficient controls to protect personal data can end up in the imposition of significant monetary penalties, up to the tune of 4% of annual global turnover. Thus, it would be imperative for organisations to create trustworthy and protected data management ecosystems. To ensure that companies keep heading on the path of a sustainable ecosystem, they must adopt privacy by design, which now is a mandated regulation, rather than a recommendation.

By Manish Sehgal, Partner, Deloitte India