Privacy by Design (PbD) is a well-intentioned set of principles – see our cheat sheet – to get the C-suite to take consumer data privacy and security more seriously. Overall, PbD is a good idea and you should try to abide by it. But with the General Data Protection Regulation (GDPR), it’s more than that: it’s the law if you do business in the EU zone!
PbD has sensible guidelines and practices concerning consumer access to their data, and making privacy policies open and transparent. These are not controversial ideas, except if you are, ahem, a large Internet company that collects lots of consumer data.
And PbD also dispenses good general advice on data security that can be summarized in one word: minimize.
Minimize collection of consumer data, minimize who you share the data with, and minimize how long you keep it. Less is more: less data for the hacker to take, means a more secure environment.
By Design and By Default
While you’re keeping consumer data, according to PbD, you also should have “end-to-end” security in place. Privacy is supposed to be baked into every system that handles the data.
It all seems like reasonable things to do. Various security best practices and standards — for example, PCI DSS and CIS Critical Security Controls— have been offering similar PbD-like security recommendations.
However, the EU has been way ahead of the US in making PbD principles part of their data regulations. In fact, the existing Data Protection Directive, the current law, contains PbD principles in various place – particularly data minimization and giving consumers the right to access and correct their data.
The new GDPR, which will go into effect in 2018, retains the existing rules on data and then goes a step further. PbD is explicitly spelled out in article 25, “Data protection by design and by default”. Here are two relevant passages:
… implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing…
The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage ..
Got that: limiting and minimizing are now the law of the land, with respect to data. (I’ll talk about pseuodonymization in another post. It’s a cool idea that lets you have protect data and consumer privacy without having to resort to encryption.)
Impact on Your Marketing Campaign
The new GDPR has direct, practical implications. Just as an example, consider the impact it will have on web-based marketing.
Businesses are always trying to get information about their customers and looking to bring in new leads using the full digital arsenal — web, email, mobile And when given half a chance, marketers always want more data —age, income, zip code, last book read, favorite ice cream, favorite food, etc. — even for the simplest consumer interaction.
What the EU GDPR says is that marketers should limit data to the purpose for which it is being collected—do I really need zip codes or favorite books? — and not to retain the data beyond the point where it’s no longer relevant.
So the data points you collected from that web campaign over five years ago —maybe containing 5000 email address along with favorite pet names — and now lives in spreadsheet no one ever looks at. Well, you should find it and delete it.
If a hacker gets hold of it, and uses it for phishing purpose, you’ve created a security risk for your customers.
Plus, if the local EU authority can trace the breach back to your company, you can face heavy fines.
Need more EU General Data Protection Regulation knowledge? Our white paper gives you a complete run down!