On privacy by default
Privacy by default and privacy by design are regulatory requirements organisations must implement if they want to be compliant with the EU’s General Data Protection Regulation (GDPR).
Article 25 of GDPR states that only personal data that is strictly necessary for a specific purpose should be processed (data minimisation) by default. Furthermore, this personal data should be processed with the highest level of privacy protection.
In practice: the minimum amount of personal information collected and processed will depend on the organisation and the task to be achieved.
The collected data must be limited to only the most essential data for each task. For example, if your company is recruiting for an open job posting, the task is to employ the most suitable and capable candidate for a specific position. Therefore, your company needs personal data about the candidate that is relevant to the job description to determine which candidate is the best match for the role. Requesting data that is outside of the job description, is considered excessive. Asking a candidate to provide a photo of themselves or indicate their gender is often irrelevant for the role and may be requested only as optional information, to be provided at the personal discretion of the candidate.
Cookies are another example. The most common task of a website cookie is to collect information about the behaviour of website visitors and improve their experience on the site. Nowadays, cookies are also used for personalising ads and re-marketing. In this case, the principle of data minimisation is implemented by placing cookie banners that by default only collect information that is necessary for the website to function properly, i.e. the minimum data possible.
Most importantly: a product or a service made available to the public should, by default, be set to the strictest privacy settings possible, without the need for manual input from the end-user.
Think of Zoom’s recent security incident. The service had a security flaw that left cameras on Mac devices vulnerable to hacker attacks. Four million Mac users were affected.
Ideally, Zoom should have disabled camera settings for all users by default. If you have ever used Zoom, or any other tool requiring access to your video camera, check your settings and make sure that your video camera is disabled by default (Log into Zoom -> Settings -> Video). It also doesn’t hurt to place a sticky note over your camera for extra protection.
Although privacy by default and privacy by design are requirements specific to the EU’s GDPR, companies around the world are implementing these principles in their tools and services. There are a number of privacy by default products out there. For instance, privacy-focused browser extensions like DuckDuckGo, Ghostery, Tor, Brave.
This and other articles of the #Privacy_Issues publication, unless specified otherwise, are a product of joint creative energy of the team behind the Privacy Issues project. To receive regular updates on latest developments in the field of data protection and privacy with regards to product design, development, marketing and more, sign up for our Newsletter here.
