The Spanish Data Protection Agency has published a guide to facilitate the application of the privacy by design principle

The General Data Protection Regulation (EU) 2016/679, established data protection by design and by default (PbD) as a legal obligation that every data controller must comply with. Implementing this principle in practice may be a complicated task, given its generic nature and the difficulty of finding technological solutions that truly turn privacy into an integral part of companies' products and/or services.

It is a highly practical document that begins defining the foundational principles of PbD:

  1. Proactive not Reactive; Preventative not Remedial
  2. Privacy as the Default
  3. Privacy Embedded into Design
  4. Full Functionality – Positive-Sum, not Zero-Sum
  5. End-to-End Security – Lifecycle Protection
  6. Visibility and Transparency
  7. Respect for User Privacy
It continues explaining that the PbD must be seen as a comprehensive sum of risk approach and proactive accountability, and in addition to the security risks (confidentiality, integrity and availability), it adds three new protection objectives: i) unlinkability, ii) transparency and iii) intervenability.

These six protection objectives constitute an overall framework of protection in the processing of personal data and determine, as a result of an assessment of the risks involved, other non-functional attributes or requirements to be met by the system which become the gateways to privacy by design processes.

Following the results of the risk assessment, controllers must use privacy engineering which is the use of engineering knowledge and techniques to systematically address risks associated with planned and authorized functioning of systems that collect, use and disclose personal information. In order to better understand this concept, the guide explains what Privacy Design Strategies, Design Patterns and Privacy Enhancing Technologies are and includes an extensive list of different strategies for the practice.

Ensuring privacy and establishing a governance framework that guarantees the protection of personal data does not represent an obstacle to innovation. Quite the opposite, it offers advantages and opportunities for all participants (controllers, suppliers, product and application developers, device manufacturers and data subjects).

Latest insights

More Insights

The key regulations and the burden of proof for product and manufacturer preferences in public tenders

Feb 28 2024

Read More
high vis

Commissioning construction works to be completed by a third party in the event of a non-performing (sub)contractor

Feb 28 2024

Read More
patent brexit

Council of State rules again on the invalidity of quality certificates after Brexit

Feb 28 2024

Read More