What is privacy by design and how does it protect data and user privacy?

Privacy by design (PbD) is not a new concept. It’s mentioned by name in the General Data Protection Regulation (GDPR), which was implemented in 2018. The core principle is that privacy should be built into processes, products and services from project conception through every stage of development, implementation, and operation. Privacy should be an important consideration right from the design stage, rather than being thought about and added retroactively.

The concept of privacy by design was first introduced by Canadian privacy expert Dr. Ann Cavoukian in the 1990s and has since been widely adopted as a best practice in privacy protection. In 2010, the 32nd Conference of Data Protection and Privacy Commissioners adopted the “Resolution on Privacy by Design”, which sparked further strong encouragement (if not outright legal requirement) for privacy by design to be included in future or updated privacy laws in the EU. This led to the development of Article 25 of the GDPR.

Privacy by design is meant to be proactive and preventative, rather than to retroactively address regulatory responsibilities, limit risks, or clean up after violations. A Google/Ipsos report from 2022 found that the negative impact of a poor privacy experience is almost as severe as that of a data breach. The framework helps to ensure that privacy risks are identified and minimized from the outset, long before they could ever happen, and that protecting personal data is the default operational decision driver.

Concerns about collection and use of personal data continue to grow among consumers, and enforcement of data privacy laws by data protection authorities is increasing. Privacy by design provides organizations with a valuable framework to achieve and maintain privacy compliance, build user trust, and maintain the critical flow of data to drive revenue.

Privacy by design is a bit of a philosophy, but given its established principles, it is most importantly a framework for privacy protection. It requires thinking about and implementing privacy measures right from the beginning of projects where personal data will be processed, from planning and design through to deployment, maintenance, and updates.

Building privacy by design into processes like software development seems obvious, but it can be equally important to include it in work like user persona development. Who needs protecting? What data of theirs will be requested and needs protecting? How do they view and approach their data privacy? What experiences do we want to provide them and how does privacy affect that?

Privacy by design also belongs in many parts of projects and operations, not just in designing forms or databases, for example. This helps achieve better user experience, privacy compliance, and ease of maintenance and updates. Outside of active building, as with software development, privacy by design also needs to be included in day-to-day operations like customer support or building partnerships.

Privacy by design has seven generally accepted foundational principles:

Anticipate and prevent privacy invasive events before they happen. Do not wait for privacy risks to materialize. Do not offer remedies for resolving privacy infractions once they have occurred. Prevent them from occurring.

Deliver the maximum degree of privacy by ensuring that personal data is automatically protected in any IT system or business practice. Individuals’ privacy is protected even if they do nothing to ensure it. It is built into the system by default.

Embed it into the design and architecture of IT systems and business practices. Do not bolt it on after the fact. Make privacy an essential component of the core functionality being delivered, integral to the system without diminishing functionality.

Accommodate all legitimate interests and objectives in a “win-win” manner. Don’t make unnecessary trade-offs because of dated beliefs or practices. Avoid false dichotomies like privacy vs. security and demonstrate that it is both possible and desirable to have both.

Embed privacy long before data is collected, and maintain it securely throughout the entire lifecycle of the data. Strong security measures are essential to privacy, from start to finish. Ensure that all data is securely retained only as long as needed, and securely destroyed in a timely manner at the end of the process. Secure end-to-end lifecycle management of information.

Assure all stakeholders that all business practices and technology involved operate according to stated promises and objectives, subject to independent verification. Component parts and operations are visible and transparent to users and providers alike.

Architects and operators are required to keep the interests of individuals first by offering strong privacy defaults, appropriate notice, and empowering user-friendly options. Keep it user-centric.

Privacy by default is also a principle of privacy by design, that privacy should be the default setting for systems and processes. At times in the past, particularly online, there has been an attitude of collecting as much data from as many sources as possible, even if it’s not immediately or explicitly needed, or individuals never consented to it. Companies would figure out how to make money from it at some point. Privacy by default is the opposite of this approach.

Fundamental to privacy by default is that responsibility for ensuring privacy or protection of personal data should not fall on the individual. They should not have to take action to protect their privacy, or ensure good privacy protection for themselves, as default settings should already provide a high level of privacy protection.

This ties closely into user experience as well, especially for building trust. While individuals should not have to act to protect their privacy, they should be clearly informed what settings and functions exist to protect it for them.

The GDPR’s requirements are fairly extensive, and privacy must be a consideration and integrated into all aspects of process, product and service design where personal data is processed. The responsibility falls on data controllers and requires them to do appropriate risk management and data protection in everything from development to daily operations. As noted, Article 25 GDPR is specifically dedicated to privacy by design and by default.

The California Consumer Privacy Act (CCPA) and other laws require businesses to implement reasonable security measures to protect personal information, and to consider privacy risks in the development and implementation of new products and services. Industry-specific federal laws also address data privacy and security, like the Federal Trade Commission’s Gramm–Leach–Bliley Act, which covers financial institutions.

There is no comprehensive federal privacy law in the US that requires privacy by design across all industries, so interpretation and implementation of privacy by design will likely vary widely for the foreseeable future. However, with increased scrutiny and enforcement by data protection agencies, it may force increased efforts and standardization.

For organizations that collect and process personal data via websites or apps, there are a number of best practices recommended for implementing privacy by design. There are parallels among these and Article 5 GDPR as well, which addresses “Principles relating to processing of personal data”.

Collect only the personal data that is necessary for the specific purpose(s). This helps to reduce the risk and potential harm from unauthorized access in the event of a breach. It also helps build trust with users when it’s clear that an organization is only asking for what is necessary in order to provide the desired experience, products or services.

Provide clear and easily accessible information about the types of personal data being collected, why it is being collected, and who will have access to it. While some privacy laws do not require consent prior to personal data collection, most of these regulations do require user notification of at least this information via a Privacy Policy or Notice. It is also necessary to ensure it is kept up to date, not only when regulations change, but when the technologies that your site or app uses do (e.g. for tracking). It is desirable to automate these functions, i.e. with a consent management solution.

Implement appropriate technical and organizational measures to protect personal data from unauthorized access, theft, modification or destruction. It is safer to prevent violations rather than to deal with their consequences. Repairing the company’s finances and reputation is always a struggle.

Enable users to control the collection and use of their personal data. For example, options to opt-out of data collection or sale, and/or the ability to have corrections or deletion carried out. Many privacy laws have specific requirements about these functions and outline them as consumers’ rights. However, it is often best practice to go beyond the basic legal requirements and put users in control. This also encourages trust and willingness to provide more data over the long term. Ensure that all options are presented equally to avoid dark patterns or other manipulative practices.

Ensure that privacy is built into the design and default settings of products and services. For example, privacy-enhancing technologies such as encryption and pseudonymization should be used by default. Additionally, it is always recommended that organizations consult qualified legal counsel to solidly understand their ongoing responsibilities under relevant data privacy laws for the regions where they do business, and how to address those through the user and data journey.

Evaluate the privacy practices of third-party service providers, such as analytics and advertising companies, and ensure that appropriate contracts and agreements are in place to protect personal data. Under most privacy laws, the data controller, not the processor (e.g. the advertising partner) is legally responsible for data protection and liable if there is a violation.

Regularly review and assess the current legal landscape of relevant regulations, as well as privacy impacts of products, services, and processes to ensure that privacy by design remains an ongoing concern.

It is legally required by some laws, and best practice, to review privacy practices and notifications regularly, e.g. every six or 12 months. Additionally, when using a consent management platform, the analytics enable regular analysis of user interactions to optimize messaging and other aspects of user experience to ensure users are informed, privacy is protected, and consent rates are optimized.

Privacy by design can have a significant impact on marketing operations. Data strategy for marketing is already changing, moving away from third-party data and less controlled ways of using collected personal data. Privacy by design is also an important consideration for marketing functions that are growing in popularity, like preference management and server-side tagging, for which user consent is a key function through the data lifecycle.

Marketers want to build great customer relationships, and adding privacy by design into their strategies and operations is a solid way to do so, while still getting business-critical data to run those operations. A Google/Ipsos report from 2022 revealed that a positive privacy experience for the users increases brand preference by 43%.

The entire raison d’être of privacy by design is the protection of user’s data and privacy and the idea that having both privacy and security are possible and desirable. This drives all projects from conception to maintenance phase.

Privacy by design anticipates negative privacy events before they happen in order to prevent them, and ensures personal data is protected automatically. Responsibility for privacy protection is not downloaded to users, limiting risks from ignorance, apathy or mistakes. Users are kept notified about privacy and data use at all stages, however, as transparency is a central value.

Responsibility and liability are held by the entity accessing personal data, and they take responsibility for all third-party entities that may access the data, because if anything goes wrong they are responsible, and will face the loss of trust and damage to brand reputation as well as fines and other penalties, even if they did not directly cause the issue.

Data and privacy are protected without users having to do anything because protection is designed and built into all systems and a key consideration for the entire lifecycle of data and processing, so there are no weak points where data privacy measures are “bolted on” as an afterthought.

A consent management solution is a smart way to implement privacy by design at the point of personal data collection. A consent management platform (CMP) notifies users about things like what data will be collected and for what purposes. Where regulations require or best practices are being used, it also securely records and stores users’ consent preferences. In addition to enabling privacy compliance, this also streamlines audit compliance for the company if one is ordered by a data protection authority, and enables users to update their consent choices in the future.

Consent management also facilitates privacy by design by enabling control over which partners, services and tools have access to user data that is collected. By demonstrating respect for the user’s data, preferences and consent, personalized communications can be improved and user experiences enhanced. This builds trust, increases user engagement and helps in establishing long-term customer relationships.

In an ideal world, privacy by design would be part of the founding of all companies, before minimum viable products. It would be the first and ongoing consideration in the design, build, implementation and maintenance of products and services. Users wouldn’t need to do their own due diligence on companies they were considering buying from or engaging with otherwise. They wouldn’t need to dig down through convoluted sub-menus to find and edit their security and privacy settings on websites and apps.

But in our world, privacy — and particularly privacy by design — doesn’t need to be at odds with building and growing a company. In fact, the earlier it’s considered, the easier it can be to ensure the company and user data are protected.

Companies aren’t alone in figuring out how to center privacy by design in their philosophy, communications and operations. Tools like consent management platforms exist precisely to enable that. These tools are also designed with the understanding that companies need data, and that they have sophisticated marketing operations to run. Tools like a consent management platform enable and optimize that, while providing seamless user experiences. Privacy by design helps provide peace of mind to customers and companies.

Learn more about how the Usercentrics Consent Management Platform (CMP) can help you integrate privacy by design into your website or app. Talk to one of our experts.