Privacy from the design of products and services

[rabiakhatun785]

An increasingly common way to differentiate different products or services in the market is through user privacy management. Companies have realized that, in addition to being a legal obligation, it's a competitive advantage.

It's important to remember that privacy shouldn't be an add-on to a product, but rather should be part of the early stages of creating those products or services.

Article 25 of the GDPR refers to this, stating:

“1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity that processing entails for the rights and freedoms of natural persons, the controller shall, both when determining the means of processing and at the time of processing, implement appropriate uruguay mobile database technical and organisational measures, such as pseudonymisation, designed to effectively implement data protection principles, such as data minimisation, and to integrate appropriate safeguards into the processing, in order to meet the requirements of this Regulation and to protect the rights of data subjects.

2. The controller shall implement appropriate technical and organizational measures to ensure that, by default, only personal data necessary for each specific purpose of the processing are processed. This obligation shall apply to the amount of personal data collected, the extent of their processing, their retention period, and their accessibility. Such measures shall, in particular, ensure that, by default, personal data are not accessible, without the intervention of the data subject, to an indeterminate number of natural persons.

Therefore, from the outset of planning any service that will involve the processing of personal data, we must consider the type of data being processed, the additional risks, and the potential impact of any incident on that data.

Privacy by design.
As we read previously in Article 25.1 of the GDPR, "the controller shall implement, both at the time of determining the means of processing and at the time of the processing itself, appropriate technical and organizational measures, such as pseudonymization, designed to effectively implement the data protection principles..."

Therefore, the guiding principles that should guide the design of any service that may involve the use of personal data should be the following:

Assess the need for the use of personal data. It must be clearly determined whether the use of this personal data is absolutely necessary and, if so, whether it is the minimum necessary.
What use will we give them? It is necessary to fully justify the need for this personal data in advance . It cannot be collected "just in case"; rather, it must be fully identified, justified, and integrated into the security policy.
The bare minimum. It's necessary to determine the minimum data required to provide the service, and no more. It's not advisable to collect more data than necessary, as this will increase the obligations associated with it.
Identify the data subjects. We must identify the individuals whose personal data we will process. Are they clients? Are they potential clients? Are they company employees? A prior analysis is essential to determine whether we already have this information or whether collecting it will result in data redundancy.
Define the information flow. It's essential to define the data lifecycle: how and when it's collected, who manages it, how it's stored, and how and who destroys it. It's vital to gather all this information to ensure proper traceability in the event of an incident.
Increasingly, users are opting for apps, products, and services that protect their privacy, and WhatsApp and the uproar it caused a few months ago with the leak of privacy policy changes are good proof of this.