Privacy by Design and GDPR An update

Privacy by design: Making sure you only ever know what you need to know about your customer.

Let’s start with a quick refresher. GDPR is based on 7 key principles: 

1. Lawfulness, fairness and transparency 
   You must process data lawfully, fairly and transparently. People should understand what, how and why you’re processing their data. 
2. Purpose limitation 
   You should only collect data for clear, specified and legitimate purposes. You can’t then process it in ways that are incompatible with your original purposes. 
3. Data minimisation 
   You should only collect the data you need.  
4. Accuracy 
   Your data must be accurate and kept up to date. Inaccurate data should be erased or corrected.  
5. Storage limitation 
   If data can be linked to individuals, you can only keep it for as long as you need to carry out the purposes you specified. (Caveats for scientific, statistical or historical research use.) 
6. Integrity and confidentiality (i.e. security) 
   You must ensure the personal data you hold is processed securely. You must protect it from unauthorised or unlawful processing and against accidental loss, destruction or damage. 
7. Accountability 
   You’re responsible for the data you hold and should be able to demonstrate your compliance with the GDPR.  

Ultimately, the whole point of GDPR is to make organisations handle their customer data carefully and securely.  

But for large companies, that’s a big challenge. How can they protect their customers’ data as they process it across multiple systems, teams and technologies?  

Privacy by Design and GDPR 

That’s where Privacy by Design comes in.  

Privacy by Design is an approach to data protection that helps you comply with GDPR. It blends user-centred design and service design approaches. It adds a compliance layer to your service blueprints – maps that plot customer journeys and all the interactions, data flows and so on that customers have with your business.  

Service blueprints map how customers – and their data – interact with your products and services. Learn more about designing products and services with GPDR.

This is great for GDPR. Service blueprints can show: 

1. When and how you’re collecting, processing and storing customer data 
2. Why you’re collecting data and how you’ll use it  
3. Where data is needed, so you can strip out any unnecessary collection  
4. When it’s updated, so you know how accurate it’s likely to be 
5. How long you need to keep it 
6. How the data is protected, i.e. what security you have in place 
7. Who in your organisation is responsible for your data and processes 

So you can see, privacy by design directly addresses the seven principles of GDPR. And it’s these seven principles that we need to hold close, because the specifics of GDPR legislation have already changed, and will continue to evolve. Which brings us on to …  

GDPR didn’t freeze in 2018 

Legislation as significant and far-reaching as GDPR takes time to bed in. That’s partly down to people understanding how they can use it, and partly because elements of the legislation need to be clarified.  

So it hasn’t stood still since 2018. In fact, GDPR has developed apace. Even if you were 100% compliant on 25 May 2018, that may no longer be the case. New guidance has included:  

• Certification and certification criteria  
• Territorial scope, plus developments between the EU & US 
• Accreditation of certification bodies 
• Codes of conduct and monitoring bodies 
• Processing personal data when providing online services to data subjects 
• Personal data through video 
• Right to be forgotten in search engines 
• Changes to cookie policies for websites 

And this rapid evolution of GDPR is set to continue.  

The future of GDPR 

In June 2020, the European Commission published a briefing paper that laid out progress with GDPR to date. It also signalled how it expects GDPR to develop over the coming years. That includes: 

Implementation 

The Commission has signalled that it will continue to encourage full compliance and alignment among its member states. It has also suggested that more support for SMEs is forthcoming, perhaps around low-risk data processing and tools such as standard contractual clauses (SCC).  

The Commission has also hinted that bans on data processing may have a higher impact on compliance than the large fines that have so far been issued.  

Codes of conduct for special categories of data (health, scientific research) are coming.  

A proposed directive will enable class actions and make cross-border suits cheaper.  

Stakeholder support 

New guidelines will continue to clarify how GDPR is applied. Current guidelines will be reviewed and adapted as needed.  

We can expect the European Commission to provide more standard contractual clauses, tools and support to encourage data portability beyond the financial sector.  

Certification is on the horizon, especially for cyber-security and data protection by design.  

The EU wants to encourage data portability beyond the financial sector.

Innovation 

The European Commission is watching COVID-19 apps closely. It’s monitoring how GDPR is applied to new technology such as blockchain, IoT and especially AI and facial recognition.  

GDPR is designed to be technology neutral, and the European Commission points to innovation in the face of COVID-19 as proof that it flexes to fit new technology.   

N.B. The Commission is also watching “multinational technology companies”, “large digital platforms” and innovations in “online advertising and micro-targeting”. You can assume they’re talking about Facebook, Amazon, Google and friends. It identifies the Irish and Luxembourg data protection authorities as key enforcers of GDPR due to the multinationals based in these countries.  

The EU is keeping a close eye on technology multinationals like Facebook.

Convergence and collaboration 

Convergence and collaboration within the EU 
The European Commission notes that national data protection authorities are not yet conducting joint investigations. (That’s where two countries team up to handle a breach or complaint.) It says cross-border cases need to be more efficient and harmonised. The Commission expects this to happen as GDPR continues to bed in.  

International convergence and collaboration 
The Commission considers itself world-leading in terms of data protection. It’s promoting its standards via several avenues: 

• Through ‘mutual adequacy decisions’ – essentially data flow agreements – with Japan and shortly South Korea 
• Embedded into bilateral trade agreements e.g. with New Zealand and Australia (and, providing a trade deal is agreed, with the UK) 
• Through fora like the OECD, ASEAN, the G7 and the G20 

• Through its Data Protection Academy for EU and international regulators 

These routes are in addition to agreements such as the CLOUD Act, which allows US and UK government security agencies to request electronic data regarding serious criminal activity from technology companies based in the other’s country.  

It is particularly keen to empower innovation through trusted data flows and to enable international cooperation between law enforcement authorities and private operators.  

There are two other things to be aware of: 

Privacy Shield is dead 

In a victory for privacy campaigners but a blow to transatlantic trade, the agreement whereby U.S. companies could process European customers’ data, Privacy Shield, was struck down by the European Court of Justice in July.  

Privacy experts say there will be a replacement, but fundamental differences between the United States and Europe’s take on privacy means it’s only a matter of time, they say, before the replacement is struck down, too.  

This will be an ongoing struggle that companies will wrestle with, unless they adopt – like Microsoft has – non-negotiable standard contractual clauses drawn up by the European Commission. These are now the only permissible way, and therefore the default, for U.S. companies to process EU customers’ data.  

That said, there are things that American companies can do to put EU businesses at ease, such as adopting Privacy by Design, achieving ISO27001 certification and being transparent about how they adhere (or don’t adhere) to GDPR. 

Caption: U.S. companies like Microsoft are using standard contractual clauses to process EU customer data. Image source

The ePrivacy Regulation debate rolls on 

The draft ePrivacy Regulation, often known as the ‘cookie law’, will complement GDPR and again aims to strengthen data protection within the EU and present the EU as a single digital market.  

The ePrivacy Regulation is set to replace the current ePrivacy Directive. (That’s the directive that was responsible for all the cookie popups you see when you browse from an EU country.) Among other things, it aims to ensure digital communications between two parties, such as instant messaging and VoIP conversations, are kept private. It also wants to cut spam and other unsolicited messages.  

In addition, the regulation wants to give European citizens the ability to set their cookie preferences in the browser, not on each site they visit. This has serious implications for digital marketers and anyone who wants to track and reach users across multiple sites. That’s one reason why it’s taken so long to work its way through the European Parliament: parts of the regulation are hotly contested. Some European member states – those with strong advertising/publishing/media industries – strongly oppose the Regulation, so it’s been ricocheting between the European Commission and member states since 2017.  

Will it make its way through to become legislation? There’s great willing from the EU, but still a gulf between member states. For now, we’ll have to wait and see.  

In the meantime, Cyber-Duck recommends that tracking cookies are switched off by default when a user lands on your site for the first time. The ICO guidance is clear: Non-essential cookies should not be pre-enabled by default. If a user hasn’t opted in, they haven’t given consent.  

GDPR compliance builds competitive advantage 

Here’s what all this means for you.  

GDPR is going to continue to evolve. In particular, cross-border collaboration between countries and class action lawsuits could raise the impact of any GDPR breaches. That means your organisation needs to stay across the latest developments. (We’ll do our best to help with that.)  

But GDPR legislation is complex. To give you the best chance of complying with any future mandates, and to reduce disruption to your business, you need a customer-centred approach that respects and protects their data.  

That’s where Privacy by Design comes in. Think of it as a way to align your organisation with the philosophy behind GDPR, rather than the precise detail. By building consideration of your customer’s data into their journey, it’ll be far easier to implement any extra measures or protections as GDPR legislation develops. It’s a way to position yourself as protector of your customer data when you undergo digital transformation, optimise your customer journeys, or implement AI. It gives you the understanding and process you need to adapt in line with GDPR.  

Privacy by Design builds compliance into your systems and workflows.

What to do next 

If your last GDPR audit was back in 2018, a refresh may be in order for 2021. You can use our GDPR checklist to establish where you stand, and a full audit will show you exactly where privacy by design can protect your customers and strengthen your business. Get in touch to find out more – we’re ready to help.