Article by Erlin Gulbenkoglu, Data Protection Expert of Silo.AI
As May 25th and the General Data Protection Regulation is approaching fast, we are hearing more and more about it. A lot has been discussed about the extraterritorial applicability, a wide range of rights given to data subjects, the transfer of personal data outside the EU and much more about the regulation.
One key change that the GDPR will bring is the obligation to integrate privacy into systems and operations when processing personal data, which definitely requires both an exhaustive understanding of privacy and its practices, as well as serious work around this.
The concept of ‘Privacy by Design’ was developed by Ann Cavoukian, the former Information and Privacy Commissioner of Ontario, to indicate the philosophy and approach to embedding privacy into the design of information technology, networked infrastructure, and business practices. This concept brings an extensive understanding of principles to achieve privacy.
The purpose of this article is to introduce the concept and explain it by giving examples of its implications for the artificial intelligence sector in line with Silo.AI’s work on the topic and GDPR compliance. And, most especially, to explain the ways to help prevent organisations leaving privacy to chance and encourage them to have it by design instead.
Integrated privacy in the full lifecycle of systems, operations and products
As electronic data about individuals is becoming more and more detailed and as technology allows ever more powerful collection and processing of these data, consumers are getting more cautious about the information they share and want to have more control over it (Public Opinion on Privacy by epic.org).
Some of the most significant findings of the 2016 European Commission study are that the majority of EU citizens think that it is unacceptable to have their online activities monitored and to have companies share information about them, and almost all of the participants think that websites should ask permission to access their information.
It is important to remember that the fundamental reason behind the GDPR is the demands of people in the EU for their privacy rights.
For any business, it is critical to integrate privacy into its systems and operations as well as the end products and services it delivers. This is a direct answer to the consumers’ demand for the protection of their privacy rights, and can be a key selling point for innovative technologies.
As stated before, integrating privacy in the full lifecycle of systems, operations and products will be a requirement with the GDPR. This is stated as the ‘Data Protection by Design and by Default’ concept in the GDPR text and it is explained in Article 25(1) in the lines:
…the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures…
The concept of Privacy by Design
To clarify and make sense of the explanation in the GDPR text on the concept, let’s first dig deeper into ‘Privacy by Design’, which is the core of the privacy embedded into the design concept. The concept has 7 foundational principles:
- Proactive not reactive; preventative not remedial:
Privacy exists before any privacy-invasive event happens, not after the fact. - Privacy as default setting:
Privacy is there irrespective of any action; if an individual remains inactive, their privacy still remains intact… - …
READ MORE ON SILO.AI/GDPR-AND-AI/
Article by:
Erlin Gulbenkoglu
Data Protection Expert of Silo.AI
https://silo.ai/gdpr-and-ai/
