Eine Hand tippt auf ein virtuelles Schloss
Before we start

What is Privacy by Design?

23 January 2018

It always used to be the case that data protection was at the bottom of the pile when it came to software development. Privacy by Design is now set to change this. Thanks to the General Data Protection Regulation, this principle is even going to be mandatory for companies as of 25 May 2018. Jörg Schlißke explains what's behind the concept and how it will improve data protection for users.

#explore: What is Privacy by Design?
Jörg Schlißke: Privacy by Design means that data protection is already considered in the design and development of software and hardware for data processing. Pre-installed user-friendly settings are intended to ensure that the only data collected are those required for the processing purpose in question, so as to ensure as little interference as possible in the rights to protection of the users. In a contract with an online retailer, for instance, these might be name, address and bank account details.

"A company may only collect information from its employees which is indispensable to the implementation of the employment relationship."

Jörg Schlißke

#explore: And what does this mean for companies?
Jörg Schlißke: A company may only collect information from its employees which is indispensable to the implementation of the employment relationship. Data avoidance and data economy are the key words here. If a company develops data processing software, it needs to ensure in this development that, for instance, a deletion concept is implemented or data fields which are not absolutely necessary are anonymised or pseudonymised. This basic principle of necessity is already enshrined in the German Federal Data Protection Act (BDSG). Privacy by Design is closely associated with Privacy by Default, which literally means “privacy as a factory setting”. Devices and web services must accordingly be equipped with privacy-friendly default settings by the manufacturers. Until today, users have often been forced to go through the tedious manual procedure of opting out of the automatic use of their data, for instance for advertising purposes. This was the case, for example, with Facebook's update of its privacy policy in 2015.

#explore: Could you give us another example that describes this more precisely?
Jörg Schlißke: As an example for the implementation of the Privacy by Default principle we can mention tracking settings of internet browsers. Here, the browser automatically informs the websites visited that the user should not be tracked. If they want to, users can switch off this protective feature themselves and give their consent to being tracked - in other words, they can opt in. This strengthens the freedom of choice of the user. In future they’re going to be able to decide for themselves which data they provide to companies over and above the bare minimum necessary.

"If companies violate the data protection regulations, as of May 2018 the supervisory authorities will be able to levy fines of up to €20 million."

Jörg Schlißke

#explore: The General Data Protection Regulation is going to make Privacy by Design and Privacy by Default legally binding as of mid-May 2018. How will this change things for companies?
Jörg Schlißke: Companies are now going to have to act. Basically, the BDSG already contains guidelines on Privacy by Design in the sense of data avoidance and data economy. But this was nothing more than a kind of statement of intent. Violations could be sanctioned only under certain conditions. This will change with the entry into force of the General Data Protection Regulation. If companies violate the data protection regulations, as of May 2018 the supervisory authorities will be able to levy fines of up to €20 million plus a profit levy of up to 4% of the group's entire annual turnover - and all of this according to the location principle. Foreign companies with a branch in Europe are thus subject to the regulations of the GDPR and can be sanctioned. And, as we know from our discussions with the supervisory authorities, they intend to make full use of this sanctions framework. So companies should neither expect nor hope that the General Data Protection Regulation will turn out to be a toothless paper tiger. As evidence that they are satisfying their warranty obligations, companies will in the future be able to undergo an approved certification procedure. However, only certain core characteristics of the GDPR, such as Privacy by Design and Privacy by Default are certifiable.

#explore: What is going to change for the users?
Jörg Schlißke: Users will find that their rights will become strengthened overall. They will in the future be able to assert their rights as data subjects also in the country in which the data was collected - in the case, for example, of cross-border trade. Their right of information concerning the type, volume and use of the stored data will also be reinforced. They will also have a stronger claim to the correction or deletion of data collected on false pretences. The transparency obligations of companies will also be strengthened. This is a real boon for users: After all, data protection declarations have until now often been very complicated and extensive. In the future, operators of websites, social networks or trading platforms will have to adapt the language used in the their privacy policies so that minors and individuals without legal competence will be able to understand them. What is still outstanding is the reform of the electronic privacy regulation which corresponds with the data protection regulation. This does not in the first instance refer to natural persons, that is to say users. However, if a website is used to create a relationship with a natural person, then the electronic privacy directive, as a special standard, takes priority over the General Data Protection Regulation. This is currently still covered by the old data protection regulation from 1995. An amendment has been drafted but not yet adopted. If the GDPR is going to be reinforced seamlessly and completely, then the legislature has to make some improvements here.


Jörg Schlißke is a product manager for data protection training at TÜViT and has been dealing with Privacy by Design and Privacy by Default since 2011. With his team, the qualified business lawyer is responsible for data protection advice, privacy assessments and certification for data protection and data security. He also runs the special office for data protection experts at the Independent State Centre for Data Protection in Schleswig-Holstein.