If you own a website, you have probably heard of privacy by design and privacy by default. These are fundamental GDPR principles that every website owner should know and implement. In this short guide, we explain how to comply with them.
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures.
Article 25 of the General Data Protection Regulation introduces the concepts of privacy by design and privacy by default, which are essential for ensuring data security from the very beginning of a product or service.
According to the GDPR, every project must be initiated with privacy and data protection in mind to minimize any associated risks. This is part of the broader principle of accountability, for which you should always adopt a problem-prevention approach, rather than repairing the damage later.
For this reason, it’s recommended to start with a risk assessment to identify any vulnerabilities that could expose users to breaches. Article 25 also outlines the criteria that the data controller must consider in order to comply with the principle of privacy by design:
The nature of the processing, so how much it can affect users’ freedoms and rights.
The state of the art, meaning the technology available within the company and on the market.
The cost of implementation, which includes both monetary costs and the time and resources used.
What does privacy by design mean?
Privacy by design means integrating the protection of personal data from the design stage of a system or service. This proactive approach covers not only technology, but also business practices and operational decisions.
The goal is to minimize privacy risks from the outset, making data protection a core component and not a later addition.
What are the 7 principles of privacy by design?
The 7 principles of privacy by design were first defined by Ann Cavoukian, former Information and Privacy Commissioner for the Province of Ontario. The principles are as follows:
Proactive not reactive: as we already said, your approach should be to prevent problems, not solve them later.
Privacy as the default setting: make sure that the default settings are always the ones that ensure the highest degree of privacy protection.
Privacy embedded into design: privacy considerations should be integrated into the design process at all stages.
Full functionality – positive-sum, not zero-sum: privacy protections should not come at the expense of functionality or usability.
End-to-end security: privacy protections should extend throughout the entire lifecycle of data, from collection to storage, use, and disposal.
Visibility and transparency: organizations should be transparent about their data practices and policies.
Respect for user privacy: privacy by design should prioritize the interests and preferences of individual users.
Privacy by design: main requirements
The main requirements of privacy by design include:
Data minimization: collect only the data strictly necessary for the service provided.
Purpose limitation: use collected data only for the stated purposes and not for any other purpose.
Built-in security: ensure that systems are designed with robust security measures to protect the data.
Transparency: be clear about how data are collected, used, and protected (to be specified in a privacy policy).
Proactive accountability: organizations must be proactive in preventing privacy risks.
💡 Here are a few practical examples
Ensure secure browsing with a SSL certificate and HTTPS transmission.
Define organizational policies for access to sensitive information.
Back up the data.
Define an appropriate plan of action in case of data breach.
What does privacy by default mean?
Privacy by default means that the default settings of any service or product should be those that offer the highest degree of privacy. This implies that, without explicit user action, the collection and sharing of personal data should be limited to the minimum necessary.
Privacy by default: main requirements
The main requirements of privacy by default include:
Explicit consent: users must give explicit consent for any use of their data beyond basic functionality.
Ease of privacy management: privacy-related settings should be easily accessible and understandable to users.
Data protection from the start: personal data should be protected automatically without user intervention.
Minimizing data retention: keep personal data only as long as strictly necessary.
In conclusion, privacy by design and privacy by default are critical concepts in the digital age to effectively protect users’ personal information. This is not just about regulatory compliance, but about a cultural shift towards a more respectful and privacy-conscious approach to digital technologies.
Did you know that privacy by design also means compliance with privacy laws?
Here at iubenda, we have created a scanner to help you identify any compliance issues on your website!