Privacy-by-design, sometimes written as PbD, can be an intimidating term, but we are here to de-mystify it.
Privacy-by-design is the idea of building privacy protections into processes to make good privacy practices a part of normal, everyday practice – making them the “default setting”. This includes building privacy into human and technological processes, and making privacy an automatic consideration in business operations.
The key principles of Privacy-by-design
| 1. Proactive and preventative, not reactive and remedial | Take a proactive approach to protecting privacy. Anticipate risks to prevent privacy-invasive events before they occur. |
| 2. Privacy as a default setting | Automatically protect personal information in IT systems and business practices as the default. |
| 3. Privacy embedded into design | Embed privacy into the design of any systems, services, products and business practices. Privacy should be one of the core functions of any system or service. |
| 4. End-to-end security – full lifecycle protection | Implement strong security measures throughout the information ‘lifecycle’. Process personal information securely and destroy it securely when you no longer need it. |
| 5. Visibility and transparency – keep it open | Ensure whatever business practice or technology you use operates according to the stated promises and objectives (in your privacy policy). Make people fully aware of the personal information you collect, and for what purpose(s). |
| 6. Respect user privacy – keep it user centric | Keep the interest of individuals paramount in the design and implementation of any system or service. Offer strong privacy defaults and user-friendly options, and ensure appropriate notice is given. |
Practical tips to implement Privacy-by-design
- Minimise the information you collect, and minimise aggregation of personal information or data that could be identifiable.
- Involve IT and compliance team members in projects, to contribute to the design of new systems and check any possible impacts on privacy.
- Conduct PIAs when starting a new project or changing how you handle personal information.
What is a PIA?
The OAIC says:
“A privacy impact assessment (PIA) is a systematic assessment of a project that identifies potential privacy impacts and recommendations to manage, minimise or eliminate them.”
A PIA helps to identify and minimise the privacy risks of changes to services or policies and new projects. A PIA is an important privacy by design process that assists compliance with privacy obligations and delivers benefits to organisations.
The OAIC has published guidance on PIAs, including 10 steps to undertaking a privacy impact assessment.
How we can help
We can help by making the ideas of Privacy-by design and PIAs tangible and specific to your organisation’s operations and regulatory needs. We can support you to implement Privacy-by design with a privacy compliance audit, or training to empower your staff. More information about our privacy work is here.
Contact us
Please contact us for more detailed and tailored help.
Subscribe to our email updates and receive our articles directly in your inbox.