Privacy by Design

PECB MS alliance with KPMG: PECB MS is partnering with KPMG to launch a Privacy by Design Certification Program. PECB MS offers certification services for clients interested to become certified against the Privacy by Design Criteria.

General overview of the PbD CertificationPrivacy Certified outlines the general requirements for processes to be compliant with privacy as set forth in our standard. The annex for “Privacy by Design” contains the objective criteria which are used to evaluate and make a conformant certification decision. “Privacy by Design” is a frequently discussed topic in the realm of data protection. “Privacy by Design” is based on the principle that any action that an organization undertakes which involves processing personal data, must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is intrinsically built into a system during the whole lifecycle of the system or process.

The foundations of the PECB MS Privacy by Design Certification are the Seven Foundational Principles of Privacy by Design, designed by the Information and Privacy Commissioner of Ontario.

Seven Foundational Privacy by Design Principles - The 7 Foundational Privacy Principles can be briefly explained as below:

  1. Proactive not reactive – Preventive not remedial

Organizations should take a proactive approach to data protection and privacy issues rather than a reactive approach. PbD enables an organization to be prepared at all times rather than wait for privacy risks to materialize. At the same time, it does not offer remedies for resolving privacy infractions, but it prevents invasive events before they happen; this means taking action before the act, not after it.

  1. Privacy as the Default Setting

Ensure that personal data is automatically protected in all IT systems and business practices. Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that individuals do not have to take any steps to protect their data, because it is built into the system by default.

  1. Privacy Embedded Into Design

Embed data protection into the design of any system, service, and product and business practice. You should ensure that data protection is part of the core functions of any system or service. In other words, it essentially becomes integral to these systems and services. Privacy should not be an add-on measure, but a fully integrated component of the system, without compromising functionality.

  1. Full functionality – Positive-sum, not Zero-sum

Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum approach, where we avoid trade-offs, such as the belief that in any system or service it is only possible to have privacy or security, not privacy and security, demonstrating that it is indeed possible to have both.

  1. End-to-End security – Lifecycle protection

This principle emphasizes the continuous protection of personal data throughout the entire lifecycle of the data involved, whether the personal data is at rest, in motion or in use from initial collection to destruction. This ensures that all data are securely collected, used, retained, and then securely destroyed at the end of the process, in a timely fashion.

  1. Visibility and Transparency – Keep It Open

This principle is about ensuring visibility and transparency to individuals, such as making sure that they know what data you process and for what purpose(s). An organization must conform to its stated privacy and security practices. These practices are subject to independent verification, and are made visible and transparent to everyone. Robust visibility and transparency enhance the capacity for independent verification.

  1. Respect for User Privacy – Keep It User-Centric

Privacy by Design requires architects and operators to keep the interests of the user as a priority, by offering strong privacy defaults, appropriate notice, user-centric and user-friendly interfaces. Empowering data subjects to play an active role in the management of their own data may be the single most effective check against abuses and misuses of privacy and personal data.

Certification process - Below you can find a brief description of the certification steps:

  1. Apply – The Privacy by Design Certification process begins when your organization submits a Privacy by Design application which can be sent by request;
  2. Assess – Assessment services will be carried out under a separate agreement where the product(s), the service(s) and/or the process(es) being certified will be assessed. A report will be issued based on the assessment methodology developed exclusively for the Privacy Certified Certification;
  3. Certify – After examining the assessment report, we will issue a decision as to whether the certification will be granted. The certified organization will get the certificate and will be listed on our website;
  4. Surveillance – Certifications are valid for a three-year period, but must be renewed annually. We will remind you in advance with all the details on how to keep your certification up-to-date
  5. Annual Self-Declaration – An important part of renewing your certification is the annual self-declaration form in which your organization attests if there has been any change which would affect your certification;
  6. Renew – If PECB MS is satisfied with the annual self-declaration form, and upon the payment of the renewal fee, your Privacy by Design Certification is renewed for another year.

Once you receive the certification, you can display it on your website and/or product or offering, and share your assessment results and certification with your business partners.

Benefits of PECB MS Certification - By having a Privacy by Design Certification from a certification body such as PECB MS, your organization will be able to:

  • Ensure compliance by getting ahead of the legislative curve and minimizing non-compliance risks
  • Reduce the likelihood of fines and penalties from authorities as a result of data breaches
  • Maintain best practices with the independent assessment of privacy and security controls
  • Gain competitive advantage and market access with the relevant industry scheme certification
  • Increase customer confidence and trust
  • Gain/increase reputation and respect
  • Continually improve processes and performance
  • Use Privacy by Design to enhance privacy awareness within your organization

Contact us at ms.processing@pecb-ms.com to find out how we can assist you in attaining PECB MS Privacy by Design Certification.