Section Two - introduction to the GDPR
A story about privacy by design (14 minutes)
First, we need to introduce you to some more theory about the GDPR, so we can get into the more juicy parts of this crash course in the next sections.
GDPR - an introduction
In section one we talked about privacy being much more than data protection. However, the world is being datafied at a rapid pace. What used to be just a conversation is now WhatsApp data. That is why data protection is becoming more and more important. Often privacy and data protection are used interchangeably. We will also do this in this section.
Now you know why.
In this section we start by explaining the GDPR (The General Data Protection Regulation). This is a European regulation, but it has a major impact on companies and citizens worldwide. First watch this short overview on the GDPR in this video (2 minutes):
Now watch this longer video that will explain the basics of the GDPR, like the terminology, the data processing principles and the lawful bases for processing (7 minutes). This might be a bit more boring, but it is important. And you can put a notebook next to it and write along.
If you want.
We already know why privacy is important. We learned that in section one.
Information or data in our digital age is incredibly important for our privacy. After all, we want to determine by ourselves which personal details we share with others, and how they are used. We don’t want everyone to know what we do or think. We don’t want our boss to know what we discuss with our friends. We don’t want our personal information to be misinterpreted outside the original context. In other words, we want some privacy, please. But that is increasingly less self-evident in a world where digital innovations surround us and literally start to get under our skin. Think about the surveillance capitalists that we discussed in crash course two.
Therefore, data protection is more important than ever. It protects us against intrusive companies and an omniscient government. The goal is to maintain a balance of power between the individual and society. In a democratic state this is not only of personal interest but also of interest to society at large. This is why privacy is a fundamental right. In the videos you saw that strong European laws protect the privacy of all citizens on European soil. Unfortunately, these laws are often complex and vague. They offer little concrete guidance to designers and system developers. This is a problem if you want to design privacy-friendly systems. Or if you want to assess if a technology is privacy-friendly.
Privacy by design
To tackle the problems above there is the privacy by design philosophy, which demands that privacy requirements are taken into account right from the start and throughout the system development life cycle.
Quick question: why is privacy by design not called: data protection by design?
Quick answer: We do not know, but we warned you privacy and data protection are interchanged more and more often.
Privacy by design makes privacy, like security, a software quality attribute. Privacy by design has been a legal requirement since 2018.But you can also use it to go beyond the bare minimum required by law, and use it as an innovative force. But how to make privacy by design concrete? And how to apply it in practice? How to translate vague legal norms in concrete design requirements? There are eight different privacy design strategies, divided over two different categories: data-oriented strategies and process-oriented strategies.
And yes, we warned you, it is a bit of theory, but really important to understand if you are designing, assessing, implementing or using digital technology.
The data-oriented strategies focus on the privacy-friendly processing of the data themselves. They are more technical in nature. There are four of them.
- Minimise. Limit as much as possible the processing of personal data (do not ask: "how old are you?" but ask: "are you an adult?").
- Separate. Separate the processing of personal data as much as possible.
- Abstract. Limit as much as possible the detail in which personal data is processed.
- Hide. Protect personal data, or make it unlinkable or unobservable. Make sure it does not become public or known.
The process-oriented strategies focus on the processes surrounding the responsible handling of personal data. They deal with the organisational aspects and the procedures that need to be in place. We distinguish the following four.
- Inform. Inform data subjects about the processing of their personal data in a timely and adequate manner.
- Control. Provide data subjects adequate control over the processing of their personal data.
- Enforce. Commit to processing personal data in a privacy-friendly way, and adequately enforce this.
- Demonstrate you are processing personal data in a privacy-friendly way.
Understanding the principles of the GDPR and the strategies of privacy by design helps you to assess the privacy aspects of the impact of a digital technology.
Take aways from section two:
- Data protection is subject to the GDPR;
- The principles of the GDPR are very important but can be vague to apply;
- That is why there are privacy by design strategies;
- These strategies help you to assess the impact of a technology on privacy and data protection.