The Spanish data protection agency (AEPD) has published the " Privacy guide design "with the aim of providing guidelines to facilitate the incorporation of the principles of data protection and privacy requirements to new products or services from the moment are beginning to be designed.
The concept of ‘ privacy ’ from the design was accepted internationally on a resolution adopted in 2010 within the framework of the 32nd International Conference of commissioners of data protection and privacy. However, it is the General regulations on Data protection (RGPD) the entrusted to it by the category of legal requirement, to incorporate in its article 25 the practice of defining privacy requirements from the earliest stages of design of products and services.
The objective of the privacy from the design, oriented to risk management and proactive responsibility, is that data protection is present since the early stages of development and not an extra layer, forming an integral part of the gross (hardware or software), system, service or process. The Guide is aimed at responsible and other actors involved in the processing of personal data, such as suppliers and service providers, developers of products and applications or device manufacturers.
It is divided into nine points. The first two are dedicated to define the concept and founding principles of privacy in the design, as well as the qualification of the product or service to ensure that privacy. The third section will analyse the concept of privacy engineering , a process that aims to translate the principles of privacy in the design into concrete action, both in the conception phase of the product or service and development. For example, through the identification of strategies to follow in order to guarantee the privacy; the establishment of design patterns of privacy to resolve problems that arise repeatedly to develop products and services, or use of technologies for improved privacy (PETS, for its acronyms in english) to bring those patterns with a particular technology.
Moreover, the guide addresses the various strategies for the design of the privacy, some of which are intended for processing data (minimize, hide, separating and abstract) while others are directed to define processes for responsible management of personal data (inform, monitor, meet and demonstrate). It dedicates a section to classify technologies for improved privacy or PETS, among other things.
The Guide includes a section of conclusions in which the agency indicates that ensure the privacy and to establish a framework that guarantees the protection of data does not represent an obstacle to innovation, but has advantages and opportunities for organizations such as for the market and society as a whole. It also recalls that the privacy since the design is an obligation of the responsible whatever the form of development, acquisition or subcontracting system, product or service may not delegate the responsibility entirely manufacturers and responsible.