Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start of any project or when a change in the way data is used with your organisation occurs. It begins by asking questions such as: Can we use this data? Should we use this data? What does the customer expect? What do we need to document at the beginning, during and following the end of a project?
These questions should then continue to be natural and fluid, being made throughout the process of all areas of a company that collects and uses data. It should become the approach inherent across the whole business particularly; information technology, general business practices, processes, network infrastructure.
Basic principles can be employed that are not industry specific or have particular technical implementations. These are:
being proactive not reactive: preventative not remedial
setting privacy as the default, meaning the data subject should not have to take any action
having privacy embedded into design and into the architecture, and not added in at the end
giving privacy end to end life cycle protection - at point of collection, during any kind of processing and at end when data is disposed of
maintaining visibility and transparency throughout all your business practices
simply put, making respecting user privacy a primary aim.
On your to-do list:
Put measures in place to ensure that the data subject’s rights and freedoms are preserved simply because the processing has been designed that way.
Conduct a DPIA as an important part of the above. If you know what the risks are to the data subjects' rights, it is much simpler to establish measures that will protect them.
Include data protection from the very onset of designing any system.
Data minimise - i.e. processing only the data that is absolutely necessary for the completion of the its purpose/duties. Reduce the categories and the overall amount of persona data collected and to use pseudonymisation in the early stages.
Restrict access to personal data to only those needing to perform the actual storage and processing.
Understand how to uphold the data subjects’ right not to be subjected to processing that is automated and which could produce effects that have consequences for them, legal or otherwise.
Build security and privacy protections into the full life cycle of a new product or system.
Implement technical measures that correspond to data protection principles and that prevent access that would be incompatible with the specified processing purpose (e.g role-based access to data, HR department is a good example).
Start to generate the evidence (record!) that all the measures you have implemented are really taking place on a day to day basis and is being applied as the natural course of things.
Collect data with purpose, which mean your organisation does not collect everything simply because it can.
Review your existing architecture: ask What is personal identifiable information actually? Where does it exist? examine ingress & egress (remembering that with transfers to a third party, responsibility remains with you as the CONTROLLER.)
