By Claudia Cunha, DPO and Head of Legal at CESAR
Concerns about data privacy and protection have become increasingly important in recent years. With many countries implementing new regulatory requirements, it is essential for software-development teams at global tech companies to be aware of these regulations and how they impact the development of software to ensure compliance. Some of the world’s strictest ones are GDPR in the European Union, new health data regulations in the U.S., California’s Consumer Privacy Act (CCPA), and Brazil’s General Data Protection Law (LGPD).
For example, under the GDPR, companies can face fines of up to four percent of their global revenue for non-compliance. The CCPA provides for fines of up to $7,500 per violation, and Brazil’s General Data Protection Law includes strict penalties for non-compliance – which may reach up to two percent of their global revenue, limited to approximately $10 million per violation, depending to how much damage resulted from the improper handling of data.
Earlier this year, the CNIL – France’s data protection authority – announced a fine of three million euros against mobile game developer Voodoo for using an essentially technical identifier that tracks browsing habits for advertising purposes without the users’ consent. In May, the EU fined Meta a record $1.3 billion because it violated Europe’s GDPR guidelines by transferring the personal data of Facebook users based in the EU to servers in the U.S. In July, a small company in Brazil was announced the first case of a fine being imposed for violating Brazil’s law – a clear sign that not only tech giants need to comply with new privacy laws.
“Privacy by Design”: A Proactive Approach to Data Privacy
It is worth noting that there is a collateral effect when compliance laws are imposed: Big companies, those more likely to be under the scrutiny of auditing organizations, need to be legally compliant; as a natural consequence, they demand the same level of compliance from their suppliers, that, in their turn, force their own suppliers to do the same. Thus, a whole ecosystem of organizations will be impacted by the need for compliance of a single company.
When we extrapolate this scenario to the context of international businesses, the same happens: if one country (or a group of countries, like the European Union) adopts it, countries that act as suppliers of the region will have to adjust as well. With the data privacy legal framework, the same cascading effect happens, which makes the regulations more rapidly adopted and enforced throughout the world. Thus, it is easy to realize that they are now a general concern, imposed to a variety of companies and sectors.
To address this challenge, global organizations can build “privacy by design” into their new applications so they can be used in different regions around the world with varied regulations. In essence, the best way for developers to address data-privacy regulations is to take a proactive approach by building privacy protections into the design of their systems from “the ground up.”
This approach, known as Privacy by Design, allows developers to anticipate data-privacy requirements and build them into their applications before they are released, thus avoiding the need for costly retroactive fixes. By focusing on privacy from the beginning, global organizations can avoid potential fines and penalties associated with data breaches or non-compliance.
Core Principles of “Privacy by Design”
To apply Privacy by Design principles, developers should consider a number of factors during the design and development process, including data minimization, user consent, and transparency. For example, developers can use techniques such as data masking or de-identification to limit the amount of personal data collected, preserving user privacy.
Privacy by Design (PbD) was first coined by Ann Cavoukian, PH.D., back in the 1990’s, and its principles are embedded in privacy laws, such as GDPR and LGPD. The whole idea of PbD is to avoid bad privacy events from ever happening – and not fixing them after they are already in place. In order to guide users in this path, PbD relies on seven core principles:
- Proactive not Reactive; Preventative not Remedial
The idea is to anticipate undesired events, such as data-privacy incidents. This relies on a good risk management approach, with a good scenario analysis; thus, the mission here is to act before the risk materializes.
- Privacy as the Default Setting
The default behavior is to offer privacy; if nothing is done by the user of a certain solution, this person’s privacy is protected and no action is required from the data subject, to ensure privacy. The solution must have data privacy as a default.
- Privacy Embedded into Design
Because of its “by design” approach, privacy is expected to be embedded into systems and practices – and it should never be seen as an added feature.
- Full Functionality — Positive-Sum, not Zero-Sum
This principle states that all dichotomies should be avoided; it is not a situation of one side winning over the other. The idea is to minimize trade-offs, with privacy being seen as a competitive advantage.
- End-to-End Security — Full Lifecycle Protection
One of the concerns, when processing personal data, is keeping the information safe. Thus, it is quite relevant to have strong security measures in place that ensure personal data is properly processed – from the moment it is collected until it is destroyed – a full lifecycle protection.
- Visibility and Transparency — Keep it Open
This principle states that data will be processed as planned and give visibility to data subjects regarding everything that may affect their privacy. Moreover, this guideline contemplates the relevance of verifying that this commitment is achieved.
- Respect for User Privacy — Keep it User-Centric
At the end of the day, privacy is about individuals; thus, it is essential to bear in mind it is an individual’s fundamental right that is being dealt with, and the whole process must be user centric.
When software is designed for privacy, tech vendors can provide clear, concise information about the data they collect, how it is used, and who it is shared with; giving users the ability to make informed decisions about their data. In addition to these important considerations, developers must consider the R&D methodology they apply during the design process.
The Agility of “Privacy by Design” in Adapting to Regulatory Changes
An agile approach, for instance, can be beneficial in providing rapid feedback from users. Moreover, performance testing should be conducted to ensure that software applications meet both functional and non-functional requirements under various loads to confirm that privacy requirements are not unintentionally sacrificed.
Real-world examples on how this advice can save companies money, avoid fines, and speed rollouts of new applications around the world include the likes of Netflix. The streaming giant began to implement practices that aligned with GDPR principles in anticipation of the regulation’s arrival. This has saved Netflix compliance costs and sped up the delivery of new services into EU markets to capture more regional share and revenue ahead of competitors.
On the other hand, the fine imposed on Meta, mentioned above, was very much related to the lack of Privacy by Design, since it mishandled people’s data, when transferring it between Europe and the United States.
Privacy by Design is a vital approach for software developers at global tech companies in navigating regulatory requirements related to data privacy. By applying the principles of data minimization, user consent, transparency, R&D methodology, and collecting and analyzing user feedback, tech R&D leaders can adapt and refine their operations to be in line with ever-changing regulations, protect user privacy, avoid hefty fines, and deliver high-quality applications into various markets, allowing for seamless deployment in those regions.
For a deeper understanding of these concepts, check out the video by Claudia Cunha, DPO and Head of Legal at CESAR, where she discusses even more in detail: