Whilst companies who provide popular services such as Zoom or WhatsApp have had to update privacy features in the wake of security issues and changes introduced by GDPR, the term ‘privacy by Design' has become prevalent. So, what is privacy by design and why is it crucial for businesses to choose applications and software that provide this by default?
Privacy by design requires solutions and software to consider data protection and privacy from the start. Integrating data protection principles throughout the design process and making this apriority to remain compliant throughout its lifecycle, otherwise known as data protection by design and default
Having appropriate technical and organisational measures that consider this during the design stage, minimises the need to add privacy features at a later date, as seen with many popular consumer used apps and programs that were not built with privacy by design.
As a concept that has been part of data protection law for many years, privacy by design is part of GDPR regulations that came into force in 2018. With it being a legal requirement, it means any consideration with a new platform, software or app needs to follow this ruling.
It’s not just new solutions that require this, with any existing products and software requiring these updates if still within its lifecycle. This has meant many companies have had to review their product offerings to ensure they are compliant and not at risk of fines.
The law is being actively enforced, with recently both Google and Amazon receiving fines for using non-essential tracking cookies without user consent, paying €100 million and €35 million respectively. This was after France fully adapted its DPA in line with GDPR terms. In 2019, a German real estate company where fined €14.5 million for storing the personal data of tenants and not implementing privacy by design.
The risks are clear in terms of the heavy fines that can accompany being non-compliant, but also the risk to users’ data. Those implementing privacy by design are considering all of this before launching anew product or service, providing trust to its users and organisations that are looking to implement solutions that their confidential and private data is not potentially being compromised or used for other means.
There are seven concepts that are the foundational principles of privacy by design according to the ICO. These concepts are used by organisations to guide them when creating new solutions or updating existing software and products to become aligned with data protection laws.
1. Proactive, not reactive; preventative not remedial
2. Privacy as the default setting
3. Privacy embedded into design
4. Full functionality – positive sum, not zero sum
5. End-to-end security – full lifecycle protection
6. Visibility and transparency – keep it open
7. Respect for user privacy – keep it user-centric
To ensure users’ privacy, companies should only collect data that is necessary and use it only for the intended purposes. They should also remove this data when not required as soon as possible.
At RealTyme, our platform is built with privacy by design and ensures each of the above fundamentals is adhered to. This ensures that workplace collaboration is as secure as possible and requires minimal data retention.
· No logging or storing of user data or metadata – no spam, and no ads, are used in our business model.
· Data minimization - provided by automatic deletion of communication between users after use. Once messages and files are sent and delivered, we immediately delete them from our servers.
· End-to-end encryption at rest and in transit by default – using AES-256 CCM between applications, client-to-server encryption that is application specific, as well as a transport layer via TLS. For all messages, video, and audio calls. Publicly available underlying mechanisms used (DTLS and sRTP) are open-source protocols.
· Full data sovereignty - puts the control in your hands to match internal company policies, whether deployed on-premises or on a private cloud.
· Higher administrative control – decide how your company's privacy settings and policies are actioned and enforced.
· Invitation-only access – create private circles with only those users required allowed access
· Minimal PII – only a username, email or phone number is required to set up and only used for initial onboarding and account recovery.
· Secure collaboration – all data communicated and shared on the platform stays private between users, at all times.
· Advanced Cryptography – strong mutual authentication through digital signatures, using public key cryptography, between applications and the server.
You can learn more about the security features we provide at RealTyme, helping ensure your workplace collaboration is as secure as possible and remains compliant.
To discover more about the RealTyme platform, request an invite today and we'll be happy to arrange a demo, or speak to sales when convenient for you.