Internet has revolutionizedvarious sectors of economy. And with its rise, it has become indispensible forsmoothly carrying out day to day functions. Prevalent times are often termed as’Age of Data’ which often leads to parting of personal data while using variousinternet services. With the exponential rise in users incidents of identitytheft, unauthorised access and other such breaches have increased.Privacy concerns existwherever personally identifiable information or other sensitive information iscollected, stored, used and finally destroyed or deleted in digital for orotherwise.
The challenge of data privacyis to utilise data and at the same time protecting individual’s privacypreferences and their personally identifiable information.The Right to Privacy is ahighly developed area of law in Europe and all the member states of the EuropeanUnion are also signatories of the European Convention on Human Rights. Animportant part of EU privacy and human rights law is the data protectiondirective.
It is a European Union directive adopted in 1995 which regulates theprocessing of personal data within the European Union.The General DataProtection Regulation (GDPR) which was adopted in April 2016 will replace theData Protection Directive and will be enforceable from May 2018. It willstrengthen and unify data protection law for all individuals within theEuropean Union and will also look into the export of personal data outside theEU. The GDPR aims to give control to citizens and residents over their personaldata.
It will simplify the regulatory environment for international business byunifying the regulation within the EU. It does not require national governmentsto pass any enabling legislation and is thus directly binding and applicable,unlike the current directive which needs legislations to be passed. The regulationextends the ambit of the law to all foreign companies processing data of EUresidents or individuals. It also brings a new set of digital rights for EUcitizens in an age when the economic value of personal data is increasing inthe digital economy.
The GDPR is the mostsignificant piece of European Privacy legislation in the last twenty yearsseeking to unify data protection laws across Europe.Under this companies mustkeep a detailed record of how and when an individual gives consent to store anduse their personal or private data. When somebody withdraws consent at anypoint of time, then their details must be permanently erased, and not justdeleted from a mailing list. GDPR gives individuals the right to be forgotten forever.Privacy by Design and Default isthe cornerstone of the GDPR. Privacy by design is a fundamental component inthe design and maintenance of information systems and mode of operations foreach organisation. This mandates that from the initial stages onwardsorganisation must consider the impact that processing data can have on an individual’sprivacy.
This means that every new business process or product that couldinvolve personal data or impact the privacy of an individual must be designedin accordance with data protection requirements.Article 25 of the GDPRcodifies the concept of privacy by design. According to this, a data controlleris required to implement appropriate technical and organisational measures bothat the time of determination of the means for processing itself in order toensure data protection principles such as data minimisation are met.The concept of privacy bydesign promotes compliance with data protection laws and regulations from theearliest stages of initiatives involving personal data. It puts more strain onthe conception and development of new initiatives, following privacy by designprinciples can be used as a mean to help ensure full compliance with dataprotection principles issues being identified at an earlier and less costlystage and to the increase of awareness of privacy and data protection relatedmatters throughout an organisation.
Under the current regime (data protectiondirective) no specific requirement to implement privacy by design by defaultexits but under GDPR which will come into force it’s inherent.The data controller whileimplementing privacy by design needs to take into account the state of the art,cost of implementation and the nature, scope, context and purposes ofprocessing as well as the likelihood and severity of risks of the rights andfreedoms of natural persons posed by the processing of their personal data.Privacy by design is atechnical approach. While the incentives and will to invade privacy may besocial problems, the actual ability to do so is a technical problem in manyinstances. Thus, dealing with it at technology level is necessary.