What is privacy by design? A deeper dive into this GDPR requirement

Privacy by design (PbD) is a pretty simple concept: It’s essentially a procedural reminder to build user privacy principles into the development of a product or tool. It’s also a key tenet of the European Union’s upcoming General Data Protection Regulation (GDPR), a sweeping regulation that affects any organization with European users or members.

Privacy by design came into the popular lexicon in the 1990s, introduced by Ann Cavoukian, who was information and privacy commissioner of Ontario at the time. In 2012, the Federal Trade Commission began calling it a best practice for data privacy, along with transparency and simplified choice.

Why isn’t privacy by design used by everyone?

One reason might be the persistent tug between creative freedom and rules that are seen to inhibit innovation.

“Privacy by design is a really great framework from which to think about privacy and security because it looks at potential harms and asks us to consider what ‘could’ happen, and not just what’s ‘likely’ to happen,” Fatemah Khatibloo, a principal analyst at Forrester told me.

“But in engineering circles,” he said, “the legacy thinking has been that privacy and security requirements stifle innovation. Badly secured data, though, has cost companies real and actual harms, and that’s been a forcing function for design and engineering teams to embed security into products and services. We haven’t gotten there with privacy — yet.”

PbD as a brand benefit

After several years of massive data breaches and calls for more transparency in ad tech, the notion of building tools with privacy in mind has become more appealing — a trend that not only protects the companies building these tools but offers a “safer” brand to advertisers and consumers.

“PbD is definitely gaining traction as a result of GDPR — but most marketers (and other business leaders) still struggle with the concept. It’s really hard to get revenue-generating teams to think about PbD — or really, any risk-based approach to data collection and use — because that’s just not how they are measured or compensated. That’s why we turn the idea on its ear and talk about PbD and contextual privacy as opportunities to build transparency and trust with customers,” Khatibloo said, explaining that contextual privacy is a business practice in which the collection and use of personal data is consensual, within a mutually agreed upon context, for a mutually agreed-upon purpose.

She shared the graphic below as an explanation of this concept.

Integrating PbD into the development process

Lewis Barr, general counsel and vice president of privacy at customer profile and identity management software Janrain, told me that companies should include PbD as a default.

“Any martech solution provider or consumer-facing organization that processes personal data regularly should develop privacy by design and default practices as a means of being more customer-friendly, building trust and reducing liability exposure,” Barr said. “Although it shouldn’t take a government mandate to adhere to these principles, privacy by design is on track to become law anyway; GDPR is the culmination of an overall movement toward requiring privacy by design that started at the beginning of this decade.”

Ben Hoxie, director of product management at mParticle, said that companies should consider adding PbD to be a production decision.

“My interpretation is to add an operational step and say, ‘do we need this?'” Hoxie said. “Ask, ‘What do we need to complete or product, or add value, or run our business,’ rather than say, ‘Let’s take everything and maybe it will be useful later.'”

“For me, it’s really an operational piece, in the same way that a lot of companies have a security review process. It’s a similar step to say let’s talk to the privacy department and make sure we’re doing this according to the law,” Hoxie said, adding that PbD should prevent companies from developing tools that collect data for data’s sake.

“I think the intention behind that in the GDPR is to avoid companies hoovering up everything they could possibly gather and hoping to find a use for it later,” Hoxie told me. “That’s what they’re trying to get away from. They’re trying to make it so that customer data is carefully and diligently analyzed and assessed before it’s collected, and then it doesn’t live forever.”

Janrain’s Barr said that with the advent of stronger privacy laws like GDPR, companies that don’t implement privacy by design at the beginning of the development process will face a much harder task than if it was simply built in:

Today, we are entering the era of consumer privacy advocacy. Where a decade ago software vendors were enamored with emerging technology’s ability to collect invaluable personal data unbeknownst to consumers, customers now want a say in how their personally identifiable information (PII) is collected and used. GDPR and similar regulations around the globe are amplifying their voice. Now, there will be a financial hit to a brand’s bottom line if it does not get data privacy right, in the form of a reputation hit or fines.

Unfortunately for vendors that didn’t incorporate PbD into their designs from the beginning, it’s much harder to “retrofit” existing applications than bake privacy by design into a product from the outset. It is not unlike auto manufacturers that didn’t prioritize energy efficiency in the 1970s. When regulations and economics began to promote fuel economy in the 1980s and beyond, they found themselves at a disadvantage vis-a-vis competitors that built efficiency into their design.

Forrester’s Khatibloo said that PbD will be good for businesses and users.

“Privacy by design is good business practice. And I think, in the not-too-distant future, that practices like privacy by design and contextual privacy will be trumpeted as proudly as ‘cruelty-free’ and ‘American-made’ are in consumer products today. Marketers would do well to start shifting their data collection and use practices in that direction today,” she said.