PLC Magazine recently published a thought-provoking article, Data protection: privacy by (re)design, by Sylvain Magdinier and Claire Walsh of Marshall Denning. The piece provides a thorough analysis of one of the most challenging concepts of the EU General Data Protection Regulation (GDPR), privacy by design (PbD) under Article 25.
PbD is not new under the GDPR and its genesis can be traced back to 2009 and the work of Ann Cavoukian, the former Information and Privacy Commissioner for Ontario, Canada. However, with its unprecedented clout, the GDPR is driving people to take PbD much more seriously and embed the principle fully into their organisations’ systems and processes.
What differs in Magdinier and Walsh’s analysis from the commentary seen elsewhere on PbD is its focus on the challenge of making the systems you already have work in a GDPR-compliant manner “by design”. This is vital; very few businesses have the luxury of being able to procure new systems designed with GDPR benchmark privacy baked in. The piece refers to this as privacy by redesign.
PbD: pragmatism and subjectivity
The central point: “Article 25 makes clear that the data controller is required to implement PbD both at the time of determining the means for processing and at the time of the processing. PbD is not simply a forward-looking duty but must, at least in principle, be reverse engineered into existing personal data processing operations to ensure that compliance is built into processing operations when they take place”.
In essence, the GDPR calls for a pragmatic approach to PbD reverse engineering for controllers that replicates one for new builds:
- Measured assessment of the legal and compliance risks.
- Careful process engineering.
- Analysis of the organisation’s data operations that takes into account people’s actual interactions with data processing technologies.
The Data Protection Act 2018 (DPA 2018) layers onto this the requirement for each controller to implement appropriate technical and organisational measures that implement the data protection principles and integrate necessary safeguards (section 57).
As Magdinier and Walsh make clear, when applying PbD to existing systems the good news is that there is no absolute standard that applies. Crucially, what technical and organisational measures are appropriate is subjective to the controller, albeit in a highly enlightened way, not to all potentially-impacted data subjects.
Role of the data protection impact assessment
The article also highlights the key role of another creature of the GDPR in retrospective PbD: the data protection impact assessment (DPIA). The DPIA provides a framework for assessing the privacy-related risks that could arise from personal data processing as part of business activity. While DPIAs are generally considered to be part of future system and product design, they are are just as effective where legacy system privacy risks need to be analysed for the first time. See Practice note, Data protection impact assessments under the GDPR.
Morrisons and vicarious liability
Subject to the outcome of a potential appeal the Supreme Court, the Morrisons case, which effectively introduces vicarious liability to data protection infringements, is also very relevant (see Morrisons’ liability for rogue employee: an apple of discord). The knock-on effects of Morrisons should include a keener than ever focus on PbD. The direct exposure resulting from employee misuse of data highlights how critical it is to design and redesign the human elements of systems carefully. Indeed, the so-called “insider threat”, caused by worker negligence or criminality, is widely viewed as the most prolific source of data protection risk for businesses. The best technology upgrades in the world cannot mask this reality.
The long climb
As Magdinier and Walsh conclude, a successful privacy programme that rests on PbD principles cannot be achieved overnight, requiring an intelligent approach to prioritisation. Meaningful buy-in from executive stakeholders, including general counsel, is fundamental – see Cybersecurity: from technology afterthought to critical business issue for the parallels with cybersecurity and executive buy-in (which is essentially part of the same conversation).
Compliance with legal and regulatory requirements is merely arriving at base camp. Conquering the mountain, with the power and resilience that comes with a 360 degree view, only comes with a programme of lasting data security, effective data exploitation and competitive advantage (see Data use: protecting a critical resource). PbD and the organisation’s ability to use it retrospectively is at the heart of this.