Since 25 May 2018, the General Data Protection Regulation (GDPR) offers a unifying framework of data protection laws whose primary aim is to give individuals control over their own data. If you are a startup – or any business really – the GDPR makes you think about how to manage your data in a responsible and accountable way. It wants you to put in systems that ensure user data is managed securely.
In particular, Article 25 of the GDPR titled “Data Protection by Design and by Default” is important for startups to take into consideration. It encourages organizations to implement measures right at the earliest stages of product design and development.
What is Privacy by Design and by Default?
Privacy by design
Privacy by design is an approach that promotes data protection compliance from the very start. In practice this is usually considered only at the end, or ignored all together. For this reason we wanted to highlight this topic specifically since the High-Tech SeedLab is focusing on supporting early stage startups.
Once you have decided what and to which purpose data will be processed, you need to define the technical and/or organisational measures from the onset. Popular technical measures are pseudonymisation and encryption. The first method replaces the identifiable personal data with artificial identifiers, whereas the second method encodes the data only to be seen by authorized users. The ultimate purpose of this should be to comply with the seven key principles of the GDPR:
Privacy by default
Privacy by default refers to the built in standards in a new product or service. This approach encourages installing very high privacy settings that automatically apply to a new user. For example, in IoT many devices have a geolocation. This should be disabled by default. It may only get activated by active choice of the user.
A Guide for Implementation
Interestingly, the concept of Privacy by Design existed years before the GDPR. Ann Cavoukian, the former Information and Privacy Commissioner of the Canadian Province Ontario, is the creator of this approach. It was recognized as an essential component of privacy protection back in 2010, and later became part of the EU’s GDPR. Cavoukian’s privacy approach has been criticized as being vague and difficult to adopt. Though, others see her seven foundational principles of Privacy by Design as a useful guide for implementation:
|Proactive not reactive; preventive not remedial||Anticipate and determine the root cause and remediate at the source.|
|Privacy as the default setting||Privacy is ensured unless the user actively changes it.|
|Privacy embedded into design||Include privacy into all IT systems and business practices.|
|Full functionality – positive-sum, not zero-sum||Balance out conflicting needs without sacrificing privacy.|
|End-to-end security – full lifecycle protection||Consider privacy throughout the entire product/service life cycle.|
|Visibility and transparency – keep it open||Ensure clarity for both organization and user.|
|Respect for user privacy – keep it user-centric||Put the interest of those first who need their privacy to be protected the most.|
Put the interest of those first who need their privacy to be protected the most.
Applying these principles helps an organisation to be legally compliant. But what many don’t realize is that it also helps you to save costs in the long run. It is much less of an effort to adapt a product to potential changes at the development stage. Once the product is close to finished, it can be rather costly and difficult to amend.
In general, complying with GDPR standards like Privacy by Design and by Default will help your organisation build trust with your users. As you offer them transparency and control of their own data, you can foster a reliable relationship that is less bound to conflicting actions.
Finally, it is important to highlight that not only technical but also organisational measures are essential to take into consideration. Ultimately, the leading cause of data breaches is often improperly maintained software because organizations fail to apply best practices of data protection and privacy. For this reason, the High-Tech SeedLab aims to educate founders and promote best practices of data protection and privacy from early on to avoid costly problems in the future.
Do you want to turn your idea into a business and be part of a motivated group of like-minded entrepreneurs?
Applications for the High-Tech SeedLab Batch 2021 open in October 2020. If you have questions about the program or your application, please contact email@example.com.