Seven Foundational Privacy by Design Principles
1. Proactive not reactive – Preventive not remedial
Organizations should take a proactive approach to data protection and privacy issues rather than a reactive approach. PbD enables an organization to be prepared at all times rather than wait for privacy risks to materialize. At the same time, it does not offer remedies for resolving privacy infractions, but it prevents invasive events before they happen; this means taking action before the act, not after it.
2. Privacy as the Default Setting
Ensure that personal data is automatically protected in all IT systems and business practices. Privacy by Design seeks to deliver the maximum degree of privacy by ensuring that individuals do not have to take any steps to protect their data, because it is built into the system by default.
3. Privacy Embedded Into Design
Embed data protection into the design of any system, service, and product and business practice. You should ensure that data protection is part of the core functions of any system or service. In other words, it essentially becomes integral to these systems and services. Privacy should not be an add-on measure, but a fully integrated component of the system, without compromising functionality.
4. Full functionality – Positive-sum, not Zero-sum
Privacy by Design seeks to accommodate all legitimate interests and objectives in a positive-sum approach, where we avoid trade-offs, such as the belief that in any system or service it is only possible to have privacy or security, not privacy and security, demonstrating that it is indeed possible to have both.
5. End-to-End security – Lifecycle protection
This principle emphasizes the continuous protection of personal data throughout the entire lifecycle of the data involved, whether the personal data is at rest, in motion or in use from initial collection to destruction. This ensures that all data are securely collected, used, retained, and then securely destroyed at the end of the process, in a timely fashion.
6. Visibility and Transparency – Keep It Open
This principle is about ensuring visibility and transparency to individuals, such as making sure that they know what data you process and for what purpose(s). An organization must conform to its stated privacy and security practices. These practices are subject to independent verification, and are made visible and transparent to everyone. Robust visibility and transparency enhance the capacity for independent verification.
7. Respect for User Privacy – Keep It User-Centric
Privacy by Design requires architects and operators to keep the interests of the user as a priority, by offering strong privacy defaults, appropriate notice, user-centric and user-friendly interfaces. Empowering data subjects to play an active role in the management of their own data may be the single most effective check against abuses and misuses of privacy and personal data.