BIG SCHOOL OF GDPR – LESSON 9: Integrating privacy in process and IT systems design - Privacy by design
Effective integration of privacy into all business processes is only possible by raising awareness of the importance of personal information, the benefits their processing brings to an individual and society, as well as the negative impact that unethical use of personal data may have.
It is quite clear that the process of integrating privacy into society will last for years. Organizations that manage personal information must be leaders in this process. Not only because it is good for the society, but also because this approach is expected by GDPR. What does it look like?
DPIA in the head
In the last lesson, we described the DPIA - an assessment of the impact on data protection. Intensive education of employees responsible for managing, designing, establishing and maintaining business processes will help you recognize the need to protect your personal information in your organization. Privacy by design is ideally integrated in all processes that can result in changes in business processes or in the introduction of new processes. A typical life situation would look like this:
- The organization is considering introducing a new service and creates a feasibility assessment team. This team does not have to be formally called so, nor must it be created solely for that reason. In small dynamic organizations, this will a couple of key people talking while having coffee. In large organizations, this will be a formal team.
- The team noticed that the service would have access to personal data. In small organizations, this will happen only if the team members are aware of the consequences of using personal data, while in large organizations the documented feasibility assessment process will include a mandatory identification of the inclusion of personal data.
- Team members will carry out DPIA in the extent proportional to the impact that would undermine the security of personal data in the new service. If necessary, other experts will be consulted.
- The feasibility assessment shall, inter alia, be based on the assessment of the feasibility of adequate personal data protection in the service.
- When designing a service, it is necessary to follow the following principles:
- Do not collect or access personal data that is not necessary for the provision of the service,
- Do not store personal information when this is not necessary,
- Enable access to personal data only for those people and systems that really need it, and only to those data they need,
- Level of personal data protection to be aligned with DPIA results,
- Ensure functionalities for the implementation of the rights of the respondent (right to being forgotten, portability, compliance of processing with given consents …).
- These principles are to be integrated into all design phases. For example, if you are developing an app, the development team must be familiar with these principles and apply them when writing the code (for example, do not use "select * from" to access personal information). Application development teams that access sensitive data should be educated for secure coding.
- Ensure that actual personal information is not used in the development and testing process, and if this is not possible, adequately protect them against unauthorized access.
The same principles apply to the implementation of any changes in applications and processes, but it fails if you have not identified the existence of personal data and the need for their protection. You can only do this if your organization is aware of the value of personal data.