The European Personal Data Protection regulation introduces several major concepts, one of the most important being the obligation to ensure data protection at concept ion, summed up by the term “Privacy by Design”. Adopting a Privacy by Design approach means integrating the right to privacy, right from project conception, i.e., ensuring the relevance of data collected, understanding the risks to the persons concerned, anticipating information and the rights to it, etc.
The French Data Protection law named “Information and Liberties” (like many other laws about personal data protection from European countries that follow the European directive about personal data protection), via its article 34, already required the person responsible for data processing to “take all the necessary precautions, with regard to the nature of the data and the risks presented by its processing, to preserve the data’s security” but did not explicitly impose the implementation of a Privacy by Design approach. Given this, few organisations have already taken such an approach.
Privacy by Design however allows minimizing the effort made to comply with the law by avoiding a compliance effort later on, usually needing projects to adapt the existing setup, which are difficult organizationally, technologically complex and expensive. Given regulatory deadlines, in order to best handle compliance requirements, the first Privacy by Design initiatives are beginning to multiply. Our experience shows that there are several key success factors to take into account: be super-pragmatic in the definition of a Privacy Impact Assessment, avoid creating a process that does not correlate with the existing one, focus energy on the most sensitive projects and provide tools to project managers.