Skip links

 Seven (7) Principles of Data Privacy by Design

By

Jane Ombiro, CIPP/E

Data Protection Associate 

South-End Tech Limited

Ann Cavoukian, former Information and Privacy Commissioner of Ontario, popularized the concept of privacy by design.  This concept has been codified in Article 25 of the General Data Protection Regulations 2016. The concept  is also set out in Section                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                                              41 of the  Data Protection  Act of  2019, laws of Kenya and Part V of the Data Protection (General) Regulations 2021. The Act mandates controllers and processors to employ appropriate technical and organizational measures designed to implement the data protection principles effectively and integrate necessary safeguards into the processing. This obligation applies at the time of determining the means of processing and at the time of processing.

The Regulations on the other hand provide the elements for the protection of personal data by design or default that are necessary to implement the data protection principles. These elements are enumerated in Regulations 28 to 35 of the Data Protection (General) Regulations 2021. From the above, it is evident that the Act and the Regulation do not define privacy by design and as such they do very little in helping us understand the concept of privacy by design.

To define Privacy by design we must then resort to Ann Cavoukian’s work, according to Ann privacy by design means embedding data protection into the design specifications of new systems, technologies, businesses, operations services etc.

The principle dictates that personal data protection must be incorporated from the onset when developing new systems, technologies, services and businesses. The principle also dictates that companies should inculcate data protection and privacy at every stage of development and throughout the lifecycle of the products, systems, technologies and other services. Privacy by design therefore does not end at the initial stages of development, it is an ongoing process.

The following seven foundational principles make up data privacy by design.

  1. Proactive not Reactive, Preventative not Remedial- Privacy by design anticipates and prevents privacy risks. It does not wait for the privacy risks to materialize
  2. Privacy as the Default- Privacy by design dictates that by default privacy is built into the systems of new technologies, services businesses etc, and as such no further action should be required from data subjects to maintain their privacy.
  3. Privacy Embedded into Design- Data protection should be embedded into the design specification of technologies, operations services etc. Privacy therefore becomes integral to the functionality of the technologies, operations and services
  4. Full Functionality – Positive-Sum, not Zero-Sum- Privacy by design seeks to accommodate all legitimate interests as opposed to making unnecessary compromises.
  5. End-to-End Security – Full lifecycle Protection– Privacy by design demands that strong security measures are essential to privacy from the beginning to the end of the data lifecycle,
  6. Visibility and Transparency- Privacy by design dictates that parts and operations remain visible and transparent, to both users and providers. This is essential in establishing stakeholder trust.
  7. Respect for User Privacy- Privacy by design dictates that the interest of the data subject is of utmost importance and as such developers and engineers must put in place measures such as strong privacy defaults, appropriate notice, and empowering user-friendly options.

When the seven principles of privacy by design are adhered to users of those technologies and systems are automatically accorded a good level of privacy protection without requiring additional actions from their end e.g. seeking higher privacy settings in their mobile devices.

Even with the apparent benefits of privacy by design, the concept has been criticized over the years with its implementation having been said to be confusing and complex for developers and data handlers alike. The reason is that developers are unfamiliar with the goals of legal data protection principles and data handlers are unfamiliar with the technical data privacy tools.  To ensure the effective implementation of privacy by design the dissonance between data handlers and developers must be done away with.

The compliance with the privacy by design requirement in data protection must be present from the initial stage of developing new products and throughout the lifecycle of those products.

Please do not hesitate to contact us for your Cybersecurity and Data Protection Solutions and Service needs on the telephone at +254115867309 +254721864169; +254740196519; +254115867309 or email

jombiro@southendtech.co.ke

cybersecurity@southendtech.co.ke or

info@southendtech.co.ke

Leave a comment

This website uses cookies to improve your web experience. Privacy Policy