The GDPR is set to be the biggest change to personal data protection law for a generation. With stringent new rules, and extremely punitive fines for non-compliance, businesses will need to be very careful about how they handle information belonging to their clients.

But with less than a month until it comes into force, just 7% of businesses are ready for GDPR. Which means that a tiny percentage of organisations are adhering to the specified principle of “privacy by design”.

What is privacy by design?

According to the UK Information Commissioner’s Office: "Privacy by design is an approach to projects that promotes privacy and data protection compliance from the start.”

This change in approach is intended to prevent security and privacy from becoming an afterthought. Historically, many systems have been designed to fulfil a specific business goal, with relevant security protections added at a later date.

Why does privacy by design matter?

Almost every day there are reports of corporate data systems being breached, often because of loopholes in the security infrastructure. There are many factors involved in a data breach, but the design of the system plays a major role.

If security is added after the system has been built, it is inherently weak. Moulding security provisions to fit an existing system is almost impossible.

A change of mindset and design approach

GDPR seeks to bring some balance back into system design. By forcing architects and developers to consider information security from the very start of a new project, protections can be built directly into each new application or process.

This will of course require a change in mindset for many developers who are more used to delivering services, rather than protecting the personal data that sits behind it. Instead the privacy of the individual must become their primary concern; the “how to” of making the service work, although important, must always be of secondary importance.

One word of warning

In preparing for the GDPR some businesses appear to have taken another approach entirely. Rather than re-engineer apps to align with “privacy first” principles, they have created user opt-in processes designed to encourage individuals to waive as much control of their data as possible.

The new Facebook terms of service screens are an excellent example of this approach. Using clever UI optimisations, users are encouraged to simply click through all of their options; every opportunity to deny Facebook access to specific data is deliberately confusing and accompanied by serious-sounding warning about how your service may be affected.

The Facebook approach may be good for their business model, but it does little to protect their users – even if it does (technically) comply with GDPR demands that individuals be handed complete control of their personal data.

This is a risky approach, not least because the privacy controls seem to be a bolt-on too. There is little or no evidence that businesses who try and convince users to waive their rights in this way have actually taken “privacy by design” principles into consideration.

It could be that we see some of these organisations in court after May 25th.

To learn more about privacy by design and to prepare for GDPR, please get in touch or start by downloading our GDPR Mapping Questionnaire.