Check out our most recent article featured in FDLI >

Woman looks at lock-screen on phone | Kendall PC
By: Kendall PC
March 28, 2022

What Are the 7 Principles of Privacy By Design?

Consumer privacy and security protections are essential at every stage of product and program development. According to the FTC, the privacy by design baseline principle demands the promotion of consumer privacy throughout organizations and at every stage of the development of products and services. Privacy by design is an approach to operationalizing privacy within systems, products, and business processes. Incorporating the principles of Privacy by Design can help to enhance the protection of consumer data and minimize future legal and regulatory privacy risks. 

The data protection and privacy lawyers at Kendall PC help companies with all aspects of privacy and data security. We can advise your business on the development and implementation of Privacy by Design principles with the design and development of new systems, services, products, and technologies.

Seven Principles of Privacy By Design

The concept of Privacy by Design was ​​developed by former Canadian Privacy Commissioner Ann Cavoukian, Ph.D. in the 1990s. It describes a default approach to intentionally incorporating privacy when creating new systems and technologies. At its core, privacy by design champions promoting consumer privacy in every stage of product and program development. In essence, it promotes the general concept of privacy being a mere component that should checked off during technological development as an afterthought, but rather a priority around which the technology, process, or program is developed.  Privacy by design consists of seven foundational principles which include the following:

1. Proactive not Reactive; Preventative not Remedial

This principle focuses on anticipating and preventing privacy breaches and other invasive events before they occur. When privacy is integrated into a product from the beginning of the design process, it helps ensure that security is prioritized. 

2. Privacy as the Default

This principle aims to build the maximum degree of privacy into the default settings for a business system or practice. This ensures that personal information is inherently protected in any business practice or system and that, by doing so, a user’s privacy is maintained even in instances where the user chooses to do nothing on their own initiative concerning privacy. 

When logging into software, opening an application, or browsing a website, users should not have to be concerned about their privacy settings. Privacy as Default principle aims to mitigate such concerns by automatically applying the highest level of security to users’ privacy, regardless of whether users interact with those settings. These settings can include:

  • Security: Appropriate organizational and technical measures are implemented, such as integrity and encryption to ensure confidentiality.
  • Retention, use, and disclosure limitations: Collected data will not be used for any purpose other than what the user has allowed. Data will not be kept after it is no longer needed for the purposes expressed to the user. Unless it is required to achieve the purpose for which it was collected, data will not be disclosed.
  • Data minimization: Only the absolute minimum amount of necessary data will be collected. Data will not be gathered for the sole sake of collection.
  • Collection limitation: Only the legally permitted types and amounts of data will be collected.

3. Privacy Embedded into Design

The privacy embedded into design principle states that privacy should be rooted into the design and architecture of information technology systems and business practices. Further, the principle specifically states that privacy systems should be implemented after the fact as an “add-on.” 

4. Full Functionality—Positive-Sum, not Zero-Sum

Privacy is often positioned as a zero-sum proposition that must compete with other interests, technical capabilities, and design objectives. The full functionality – positive sum, zero sum principle rejects this idea and instead strives to accommodate non-privacy objectives in an innovative positive-sum way. Specifically, the principle recommends that organizations accommodate all legitimate interests and objectives between privacy and security to create a balance between the two. 

5. End-to-End Security—Lifecycle Protection

The fifth principle demands organizations to embed strong security measures throughout the entire lifecycle of data to ensure secure management of the information from beginning to end. From a practical perspective, this means that security should be a priority at every stage of data processing systems. From the moment it enters a system, information should be protected, safely retained, and then properly destroyed when it is no longer needed for the purpose it was collected. 

Security standards must ensure the integrity, confidentiality, and availability of personal data throughout its lifecycle, including access control, appropriate encryption, logging methods, and data deletion.

6. Visibility and Transparency – Keep it Open 

The visibility and transparency principle of privacy by design articulates that organizations sure assure their stakeholders that its privacy standards are open, transparent, and subject to independent verification. Systems are more able to improve when users and other relevant parties are allowed to see the process in which information flows through them. Compliance, transparency, and accountability are necessary to ensure secure and effective systems. By being clear about a system and its level of security, organizations can build trust and take accountability. Privacy by design states that organizations should strengthen security operations through well-known processes and external validation. 

7. Respect for User Privacy – Keep it User-Centric

Privacy by design puts user privacy at the forefront of its principles. The seventh principle demands that organizations protect the interests of users by offering strong privacy defaults, appropriate notice, and empowering user-friendly options. Optimalization of systems for users their needs may include:

  • Consent: Users should give consent for their personal data to be processed for one or more specific purposes. This consent may also be withdrawn later.
  • Access: Individuals should be able to access information about the personal data an organization is processing about them.
  • Accuracy: Personal data should be current, accurate, and complete.

How To Implement Privacy by Design

Privacy by Design begins with an emphasis on security and privacy throughout the design process of a new system. This allows the system to work securely and smoothly from the onset.

The FTC endorses privacy by design programs that:

  • Maintain comprehensive data management procedures throughout the product lifecycle
  • Incorporate the following substantive privacy principles into product design and development:
    • Data security
    • Reasonable collection limits
    • Sound retention practices
    • Data accuracy 

Learn How a Data Protection and Privacy Lawyer Can Help

The data protection and privacy lawyers at Kendall PC provide strategic legal services for companies of all sizes. We can help your business ensure consumer privacy and security protections in every stage of your company’s product and program development.

Contact us today online or at (484) 414-4093. We serve small, midsized, and emerging companies throughout the United States and across the globe.

  • shield

    We guarantee 100% privacy.
    Your information will not be shared.

  • This field is for validation purposes and should be left unchanged.