Although I have 25 years’ experience as a consultant, trainer and auditor in the field of ISO management systems, I have thoroughly enjoyed the above webinar; very clear texts and explanations meeting my expectations!
I have one question related to Privacy by design and privacy by default; this was already bothering me when I followed training regarding GDPR: although it may be my fault, it is still not yet clear what the exact difference(s) is/are between both approaches. Perhaps some example could highlight the differences.
Data Protection By Default and By Design is one of the key principles in GDPR, as stated by Article 25 and recital 78 (Appropriate Technical and Organisational Measures). Article 25 GDPR actually focuses on the implementation of the data protection principles stated in Article 5 GDPR through a proactive approach. It mentions that “the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”. Thus, according to Article 25 GDPR, data protection must be thought of as ex-ante.
Privacy by design is a concept first mentioned in 1995 by Ann Cavoukian, former Information & Privacy Commissioner, Ontario, Canada, and it encompasses 7 principles:
Proactive not reactive; preventive, not remedial
Privacy as the default setting
Privacy embedded into the design
Full functionality – positive-sum, not zero-sum
End-to-end security – full lifecycle protection
Visibility and transparency – keep it open
Respect for user privacy – keep it user-centric
Her work shaped the modern privacy and personal data protection regulations today.