This blog post is written by our privacy expert and lawyer, Kristinn Gylfason at Dattaca Labs, Iceland
The General Data Protection Regulation (GDPR) is probably the most talked-about legislation in tech and marketing over the past several years. This is in part because it affects business, in many important ways.
When companies start, whether they are actual start-ups or not, they should always keep in mind designing privacy into their products and services. Otherwise, complying later with GDPR becomes far more complex, largely due to legacy systems that pay privacy little or no attention. Simply put, if privacy is integrated into a product or service from the get-go, it simplifies your life later down the road.
What is ”Privacy by Design”?
The phrase is marketable and catchy, but what does it stand for? Well, it basically stands for what it says on the tin. Firstly, it means you should keep the requirements of relevant privacy legislation (GPDR, HIPAA and so on) in front of mind whilst making design decisions for your products and/or services. That involves, for example, choosing the best cloud storage solution for your data. In the case of GDPR, your life is simpler if that solution is a company whose servers are located within the EU/EEA, or someone whitelisted by authorities to store data via, e.g. the Privacy Shield program. The right decision here, early on, will spare your company risky and possibly expensive data transfers later on.
Secondly, once an individual starts to use your product or service, you should make the default settings “maximum privacy”. If you wish to have other settings available, have the individual choose them. The benefit from this is that the individual is much more likely to trust you and your product/service. Showing that you have nothing to hide, especially in this day and age, is very important.
Why Choose VAT?
Privacy by design will not just simplify your life once you’ve grown into a fully blown company. You will also benefit from the trust you created by setting everything to “max privacy” from the start. You can always point people to other possible settings and use that opportunity to tell people how and why you process their personal data.
This approach eliminates the possibilities for you to gather data and sell it to a third party, without explicit consent. (This is illegal anyway, so why would you?) It makes your users active in the processing of their own personal data. Therefore, this could and should be value adding. The tax is … getting professional advice on privacy and how it could be implemented into your design.
It’s worth it!
Let’s take an example. You register for an app. It has everything set to the max as a default. You then want to participate in a chat with other users. To do that, parts of your personal data would have to be shared with third party service providers (storage of chat logs) and other users. The chatting ability is available for everyone, but is turned off by default once you download the app. The provider could point out the option and should also provide sufficient information to you about the handling of personal data, if you wish to turn on the chat function. You can then make up your own mind on whether or not you want your personal data handled in the described way.
It’s up to you!
The provider has done the groundwork and set up a secure way for you to chat with other users. But you make the final decision, based on your own knowledge.