The General Data Protection Regulation brings lots of important changes in 2018, and organisations have a lot to do to remain compliant. One such change is the need for privacy by design. Privacy (and Data Protection) by design and by default is written into Article 25 of the EU GDPR.
Privacy by Design states that any action a company undertakes that involves processing personal data must be done with data protection and privacy in mind at every step. This includes internal projects, product development, software development, IT systems, and much more. In practice, this means that the IT department, or any department that processes personal data, must ensure that privacy is built in to a system during the whole life cycle of the system or process. Up to now, tagging security or privacy features on at the end of a long production process would be fairly standard.
Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end user. In addition, any personal data provided by the user to enable a product's optimal use should only be kept for the amount of time necessary to provide the product or service. If more information than necessary to provide the service is disclosed, then "privacy by default" has been breached.
To take a common example, if you sign up for a new social media account and you discover that far more of your profile information has been shared by default than you expected, this breaches the regulation. For a social media account, the most essential information would be your name and your e-mail address, but not your age and location, for example. Only this information should be shared.
Data Protection is now an integral part of technological development as well as how the product or service is delivered. GDPR is not specific about how you implement these changes, but for many organisations adopting a privacy by design approach will require a significant culture change.
If you are interested in learning more about Privacy by Design we have a one day training module as part of our European Certified Data Protection Officer Programme.