Privacy & Security by Design
Privacy and Security by design is a regulatory approach established by the EU General Data Protection Regulation (GDPR). It requires data controllers and/or controllers to implement technical and organisational measures in order to mitigate privacy and security risks. One of the main instruments for demonstrating compliance with the requirements of privacy and security by design, just as with legal requirements in general, are certificates and codes of conduct. These mechanisms enable data controllers and processors to create trust amongst its customers in their data-driven products and services, and to use this is a core value and competitive advantage on the market.
Technological and Data-Driven Innovation
Technological and data-driven innovation is the core driver of public welfare in our digitized society. Data-driven innovations can solve many problems of society, through both the private and public sector: Transport, logistics, product and service development, administration, communication, finance, health, and science in general.
Data-driven innovation can also create risks for individuals and even the society as a whole. For example, data-driven innovation can be misused by people who illegitimately intrude into an individuals’ privacy, engage in unjustified discrimination against people, or who monitor society at large.
Controlling Risks of Data-Driven Innovation
Enhancing Trust in Data-Driven Products/Services
Therefore, in order to fully exploit the positive effects of data-driven innovation, it is necessary to control its risks. Customers can only trust in data-driven products and services if the risks are controlled, and data controllers and processors can only then fully exploit the commercial benefits of data-driven innovation.
The new General Data Protection Regulation builds upon this approach by establishing broad legal terms and general principles, which leave data controllers and processors a large room of manoeuvre for applying these requirements during their innovation processes. In order to make sure that their specific application meets the regulator’s expectations, controllers and processors can additionally build and/or use certificates or codes of conduct demonstrating the legal compliance.
Exploiting Competitive Advantages
GDPR Standardisation Instruments
Data controllers and processors can develop new certificates or use existing ones in order to demonstrate the compliance of certain processing activities. This might imply certain product or service categories. A certificate is the ideal instrument to signal compliance as a core value of the product or service and to compete with it against other providers of products or services of the same category, which may have a lower data protection level.
Data controllers and processors can build new certificates or use existing ones in order to demonstrate compliance for certain processing activities. This might imply certain product or service categories. A certificate is the ideal instrument in order to signal compliance as a core value of the product or service and to compete with it against other providers of products or services of the same category, which possibly have a lower data protection level.
Codes of Conduct
Data controllers and processors can also set up or use codes of conduct for a certain processing sector. In contrast to certificates, a code of conduct not only demonstrates compliance for a certain processing activity (or product or service), but for a whole bundle of activities typical in that sector. However, since the scope of application of a code of conduct is wider than a certificate, it is more complex to set it up.
Binding Corporate Rules
Similar to a code of conduct, binding corporate rules do not only refer to a certain processing activity but to a bundle of activities. However, while a code of conduct focuses on a processing sector, binding corporate rules apply to one company. Binding corporate rules are particularly useful for globally operating companies because they can legitimize the transfer of personal data within the company, irrespective of whether this occurs inside or outside the EU.
Privacy and Security by Design
Certificates can demonstrate compliance with the privacy by design and security by design requirements under Article 25 GDPR and Article 32 GDPR.
Principle of Responsibility
Certificates and codes of conduct can demonstrate compliance with the principle of responsibilty under Article 24 GDPR
Data Protection Infringement
In the case of data protection infringement, the adherence to certificates or codes of conduct can decide on whether an administrative fine is imposed or on its amount.
Legitimisation of Personal Data Transfer
Certifications, codes of conduct and binding corporate rules can provide for appropriate safeguards legitimizing the transfer of personal data to a third country outside the EU (important for the US and soon for the UK)
Privacy Impact Assessments
Including multi-stakeholder processes
Analysis of Data Protection Laws
Focus on the GDPR and the ePrivacy Regulation
Privacy and Security by Design Solutions
Conceptualisation, Development and Support
State of the Art Research
Monitoring privacy and security by design solutions
Consultancy on innovation strategies
Consultancy regarding data protection and security
Certificates, Codes of Conduct, BCR
Consultancy, concpetualisation, support
Innovative Data Protection Events
E.g. legal Hackathons and educational Game Jams
Max von Grafenstein
Partner at iRights.Law
Head of Research „Governance of Data-Driven Innovation“ at Alexander von Humboldt Institute for Internet and Society
Founding Partner at iRights.Law
Vice-Convener to the ISO/IEC Working Group on privacy and identity management
Founder of mStats DS
Researcher at German Institute for Economic Research and Alexander von Humboldt Institute for Internet and Society
Lies van Roessel
Game Studies Expert
Researcher at Hans-Bredow-Institut for Media Research
Associated Researcher at Alexander von Humboldt Institute for Internet and Society
Design Innovation Expert
Design Director Simply Secure
Former design research lead for innovation consultancy IDEO and Silicon Valley research scientist at Xerox PARC and Ricoh Innovations
Ethics and Information Expert
Doctoral Candidate at Technische University Berlin
Scholarship Holder at Else Neumann Stiftung
Researcher at Alexander von Humboldt Institute for Internet and Society
Business Model Expert
Researcher “Customer Centric Business Model Innovation” at Alexander von Humboldt Institute for Internet and Society
Scholarship Holder at Stiftung der Deutschen Wirtschaft
Prof. Dr. Dr. Thomas Schildhauer
Computer Scientist and Marketing Expert
Professor at University of the Arts
Director at Alexander von Humboldt Institute for Internet and Society
Prof. Dr. Wolfgang Schulz
Professor at University of Hamburg
Director at Alexander von Humboldt Institute for Internet and Society