The concept of privacy by design was developed in the 1990s by Doctor Ann Cavoukian, former Commissioner for Information and Privacy of the Province of Ontario, and gained notoriety with the arrival of European Data Protection Legislation, the GDPR (General Data Regulation). The modality of this Privacy by Design framework is packaged in both GDPR and LGPD (Brazilian model). Its basic principles are:

(1) Companies must adopt a proactive rather than a reactive approach (Prevention principle); (2) Privacy must be incorporated into the measures which adopt a design for the protection of data subjects (The default is for privacy); (3) Systems, services and products must protect the personal data of holders (Build on privacy); (4) Companies should not expect more data than necessary (Full fuctionality); (5) End-to-end security must be designed (protection of the information cycle); (6) business companies must be endowed with visibility and transparency, and (7) User privacy must be respected (User-centric solution).

The first principle says that companies must prevent any harm in collecting data. This methodology seeks to avoid the idea of ​​data leakage or any incident involving data before it occurs. The cost to fix it can substantially outweigh the cost of prevention – privacy protection gives you a better advantage than bearing all the expenses related to fixing bad events.

The second principle says that the protection and privacy of personal data must be incorporated into all project implementation processes of the company from the beginning to its creation. It is attentive to guaranteeing data privacy at all stages of implementation and not only at the beginning of service, product, and practices.

The third principle relates to the functionality of the service available to users. Privacy must be an essential component of the system without diminishing its functionality. By default, the system protecting data must be on. The user does not need to set the protection for data before he starts using it. Otherwise, the system must be prepared at the beginning to protect the usage of the collection of data.

The fourth principle is that it must be clear that the data must be essential and fundamental for a specific purpose, transparent and limited to fulfil that purpose.

The fifth principle concerns all the interests and privacy objectives of the company. It goes beyond the matter related to internal privacy. It includes seeking solutions in other areas, looking for answers to avoid damaging the image, contracts and more. From its collection to its destruction, the rights of the parties and third parties involved in the data collection must be protected.

The sixth principle regards the treatment of trust and responsibility. There must be transparency on data treatment, and privacy policies shall be accessible. Independent entities can carry out audits to ensure that the information is being protected. All this shows the company is correctly accountable.

And finally, the last principle is to put the user’s interest first, taking into account all the user’s consent to access the data at the moment, the data’s information accuracy, and the implementation of the compliance mechanism.

In the LGPD (Brazilian Law), we can find Privacy By Design in article 46, which states:

“Art. 46. Processing agents must adopt protective, technical and administrative measures capable of protecting personal data from unauthorized access and accidental or illicit treatment situations of construction, loss, communication or any form of damage or illicit. (…)
§ 2 As stated in the caput of this article, they must be observed from the creation phase until the product or service is executed.”

And in European legislation found in the GPDR in its article 25. Data protection from grants and by default

“Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures, such as pseudonymization, which are designed to implement data-protection principles, such as data minimization, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects”.

The evolution of the protection of information shall not be neglected. The General Data Protection Law is a reality, and companies have started the adaptation process. Those who are not careful can face fines and damnification in the event of security defaults.