Concerns about data privacy and protection have become increasingly important in recent years. Some of the world’s strictest ones are GDPR in the European Union, new health data regulations in the U.S., California’s Consumer Privacy Act (CCPA), and Brazil’s General Data Protection Law (LGPD).
For example, under the GDPR, companies can face fines of up to four percent of their global revenue for non-compliance. The CCPA provides for fines of up to $7,500 per violation, and Brazil’s General Data Protection Law includes strict penalties for non-compliance – which may reach up to two percent of their global revenue, limited to approximately $10 million per violation, depending to how much damage resulted from the improper handling of data.
Earlier this year, the CNIL – France’s data protection authority – announced a fine of three million euros against mobile game developer Voodoo for using an essentially technical identifier that tracks browsing habits for advertising purposes without the users’ consent. In May, the EU fined Meta a record $1.3 billion because it violated Europe’s GDPR guidelines by transferring the personal data of Facebook users based in the EU to servers in the U.S.
It is worth noting that there is a collateral effect when compliance laws are imposed: Big companies need to be legally compliant; as a natural consequence, they demand the same level of compliance from their suppliers, that, in their turn, force their own suppliers to do the same. When we extrapolate this scenario to the context of international businesses, the same happens: if one country (or a group of countries, like the European Union) adopts it, countries that act as suppliers of the region will have to adjust as well.
To address this challenge, global organizations can build “privacy by design” into their new applications so they can be used in different regions around the world with varied regulations. In essence, the best way for developers to address data-privacy regulations is to take a proactive approach by building privacy protections into the design of their systems from “the ground up.”
This approach, known as Privacy by Design, allows developers to anticipate data-privacy requirements and build them into their applications before they are released, thus avoiding the need for costly retroactive fixes. By focusing on privacy from the beginning, global organizations can avoid potential fines and penalties associated with data breaches or non-compliance.
To apply Privacy by Design principles, developers should consider a number of factors during the design and development process, including data minimization, user consent, and transparency. For example, developers can use techniques such as data masking or de-identification to limit the amount of personal data collected, preserving user privacy.
Privacy by Design (PbD) was first coined by Ann Cavoukian, PH.D., back in the 1990’s, and its principles are embedded in privacy laws, such as GDPR and LGPD. The whole idea of PbD is to avoid bad privacy events from ever happening – and not fixing them after they are already in place. In order to guide users in this path, PbD relies on seven core principles[1]:
- Proactive not Reactive; Preventative not Remedial
The idea is to anticipate undesired events, such as data-privacy incidents. This relies on a good risk management approach, with a good scenario analysis; thus, the mission here is to act before the risk materializes.
- Privacy as the Default Setting
The default behavior is to offer privacy; if nothing is done by the user of a certain solution, this person’s privacy is protected and no action is required from the data subject, to ensure privacy. The solution must have data privacy as a default.
- Privacy Embedded into Design
Because of its “by design” approach, privacy is expected to be embedded into systems and practices – and it should never be seen as an added feature.
- Full Functionality — Positive-Sum, not Zero-Sum
This principle states that all dichotomies should be avoided; it is not a situation of one side winning over the other. The idea is to minimize trade-offs, with privacy being seen as a competitive advantage.
- End-to-End Security — Full Lifecycle Protection
One of the concerns, when processing personal data, is keeping the information safe. Thus, it is quite relevant to have strong security measures in place that ensure personal data is properly processed – from the moment it is collected until it is destroyed – a full lifecycle protection.
- Visibility and Transparency — Keep it Open
This principle states that data will be processed as planned and give visibility to data subjects regarding everything that may affect their privacy. Moreover, this guideline contemplates the relevance of verifying that this commitment is achieved.
- Respect for User Privacy — Keep it User-Centric
At the end of the day, privacy is about individuals; thus, it is essential to bear in mind it is an individual’s fundamental right that is being dealt with, and the whole process must be user centric.
When software is designed for privacy, tech vendors can provide clear, concise information about the data they collect, how it is used, and who it is shared with; giving users the ability to make informed decisions about their data. In addition to these important considerations, developers must consider the R&D methodology they apply during the design process.
Real-world examples on how this advice can save companies money, avoid fines, and speed rollouts of new applications around the world include the likes of Netflix. The streaming giant began to implement practices that aligned with GDPR principles in anticipation of the regulation’s arrival. This has saved Netflix compliance costs and sped up the delivery of new services into EU markets to capture more regional share and revenue ahead of competitors.
By applying the principles of data minimization, user consent, transparency, R&D methodology, and collecting and analyzing user feedback, tech R&D leaders can adapt and refine their operations to be in line with ever-changing regulations, protect privacy, and avoid hefty fines.