Here are some of the practical aspects and key concepts to consider when implementing privacy by design and by default on a website

Ensuring data protection by default in your company is no easy task. Here is a guide with some of the main criteria to be taken into account. A big help to achieve this is the new guide provided by the Spanish Data Protection Agency, on privacy by design, which helps us to understand the concept and provides practical examples for the development of the principle. Also, the European Data Protection Board (EDPB) has published a guide to data protection by design and by default.

Key concepts

Among the new concepts established by the Spanish Data Protection Agency guide, based on the founding principles of privacy by design, the document points out three key items:

  1. Unlinkability: seeks to ensure that information is processed in such a way that personal data from one processing domain cannot be linked to personal data from a different domain or that the establishment of such a link would involve a disproportionate effort.
  2. Transparency: seeks to clarify the processing of the data so that the collection, processing and use of the information can be understood and reproduced by any of the parties involved and at any time during the processing.
  3. Intervenability: guarantees the possibility that the parties involved in the processing of personal data and, above all, the subjects whose data is processed, may intervene in the processing when necessary to apply corrective measures to the processing of the information.

Practical advice

As well as the content of the guide, here are some practical aspects that help to implement privacy by design and by default, such as:

  • The privacy of individuals must be protected by default, so that it remains intact, unless the person concerned takes specific and concrete actions. A practical example to understand the concept is accepting privacy terms when registering on a portal, where the user must check or perform an action to accept those terms. In no case should they be shown as accepted by default such as with a previously marked check.
  • Similarly, the data privacy and protection notices must be written in a simple, understandable and limited manner; meaning, they should not be so long that it would take too much time to read, causing the user to accept the conditions out of sheer boredom. A long clause should not be used to include unclear and lost uses and purposes in an endless number of paragraphs, in order to make the user accept processing activities that do not have to do with the main purpose, or transfers or other processing terms by third parties that are not the main terms.
  • Find consistency between the purpose of the processing and the information collected, applying data minimization. In this sense, the level of restriction of the free text fields to be implemented in the software must be considered, as well as not developing fields and/or drop-downs to register unnecessary data.
  • Access to the user’s own information, developing private areas where the user can easily access the personal information registered and even provide options such as:
    • Make it easy to adjust privacy from within the application.
    • View the last login time.
    • Make it possible for the user to customize something in their own private area in a way that allows them to detect a fake page.
    • Have access to their personal data and be able to modify or request the modification of incorrect data. In any case, provide the means to exercise their rights in the entity.
  • Make the record of processing activities easily accessible, as well as data protection terms and conditions through links that are always visible in the user’s web navigation, usually in the footer.
  • Whenever the data of the interested party is collected, it must ask for the age and, if the interested party is a minor, it will not be possible to register them directly. To register a minor, a means must be provided for the parents or legal guardians to send express authorization.
  • Consent in telematic means in terms of the web user accepting the information relating to data protection must be registered expressly in the database, so that the consent given can be proven.
  • The user must always be informed of the use of cookies and, in particular, make it easy for the user to decline to have data captured in order to continue browsing. The use of cookies must be clearly informed and especially in the case of using third party services (e.g. Google Analytics).
  • Web hosting carried out by third parties must be explicitly described and especially for suppliers who provide services outside the EU.
  • Privacy in the development life cycle. It is recommended to reflect the level of security of the data handled from the requirements of the developments of information systems and the need to keep or update a Record of Processing Activities, and/or conduct or update an impact analysis. The technical information must be clearly described:
    o The functional scope and purpose for which the apps have been developed, identifying the groups for which the information is intended and the objectives pursued with respect to these groups.

    •  Sensitivity level of the data.
    •  Security level of the app following ENS criteria.
    • The need for the use of personal data in tests and the convenience of establishing anonymisation and pseudonymisation mechanisms to carry out activities in test environments will be assessed.
    • The architecture of the solution will allow the coexistence of apps so that they maintain master data, used in a common way for all without the need to replicate user information (Master Databases). This architecture should in any case control which user data is accessible from one app or another depending on the consent given.

Mobile developments 

In the case of mobile developments, do not collect excessive information: geolocation data, use of user contacts, as well as considering the following aspects:

  • Updates must always be informed and not run in the background without the user’s prior acceptance.
  • Do not collect user information on social networks for the use of the app.
  • Personal information in the app must be kept encrypted on the mobile phone.
  • The app must allow privacy settings.
  • The option for the user to modify and access their registration data at all times, and also to view at any time the privacy terms that are available.

At Sothis we help companies to implement data protection regulations, developing the legal principles from a practical point of view and aimed at the processing of personal data specific to our clients.