Privacy by design: the fewer data the better
The deal over the new General Data Protection Regulation (GDPR), agreed on 15 December, promises to raise the bar for personal data protection across the world.
The new regulation, which should become effective in 2018, replaces the old EU Data Protection Directive of 1995 and will be directly applicable in 28 EU states.
Dear EUobserver reader
Subscribe now for unrestricted access to EUobserver.
Sign up for 30 days' free trial, no obligation. Full subscription only 15 € / month or 150 € / year.
- Unlimited access on desktop and mobile
- All premium articles, analysis, commentary and investigations
- EUobserver archives
EUobserver is the only independent news media covering EU affairs in Brussels and all 28 member states.
♡ We value your support.
If you already have an account click here to login.
The GDPR will bring EU law up-to-date with today’s trailblazers, such as globalisation, social networks and cloud computing, and aims to rebuild consumer trust in the face of data thefts, while growing the digital economy and levelling the playing field for industry through harmonisation.
As the four-year drafting and approval process through the European Commission, European Parliament and Member States has proven to be a complex affair, eliciting a huge number views and opinions, and lots of discussion, the GDPR is a positive step.
Huawei takes the position of strict adherence as far as personal data protection is concerned – and worldwide, not just across the EU28. Our products and services protect data by default.
To ensure this, Huawei uses the Privacy By Design approach. What does this mean? We define PBD as: protecting the user, by handling the minimum amount of private data, to deliver the best possible experience, for information-based services.
We can only build consumer confidence and trust through transparency. An attitude of “collect everything so that we can figure out business models in the future” is unacceptable. We must use the minimum amount of data, and for explicit purposes, and the consumer must know that we are doing this – and only this.
Huawei uses a 5-step implementation process for PBD, involving:
- Leadership: this starts at the top, and executive support is critical. In Huawei, the tone is set by our Rotating CEO, Ken Hu, who chairs our global privacy committee and takes an active interest in the topic
- Business Conduct Guidelines (BCG): privacy is incorporated into our BCG, which all members of staff sign. It is also included in our disciplinary code, to ensure that PBD is not a one-off initiative, but a standard way of conducting business
- Awareness and training: this is key to ensuring ongoing attention to the subject at all levels of the organisation, as every employee must play their part
- Development: Huawei adopted the Privacy Impact Assessment Framework (PIAF), published by the EU in December 2012. This is now embedded into our product and software development lifecycle and extends into operations
- 9 Underpinning Principles include transparency at all levels, along with informed consent, minimal data, integrity, and ownership retention.
Privacy will continue to evolve and change shape, and many challenges lie ahead. Consumers, for example, do not always act as legislators or regulators think they will or should act. User buying patterns suggest that, while they are concerned about privacy, this is not always reflected in their decisions.
They don’t always want vendors to have tight controls over data management. If their phone is broken, for instance, they simply want it fixed as soon as possible, and are willing to cede data to see that happen. So education for our customer-facing employees will be very important for the future and will need to be constantly reinforced.
In addition, culture, circumstance and history all have an impact at a local level and can mean important differences in understanding, which requires constant attention to detail.
Cross-industry collaboration is key in this respect, and this is why Huawei works with the International Association of Privacy Professionals, precisely to share and learn about such matters.
However, as the GDPR is published, adopted and becomes law over the months to come, industry and consumers are still only part way down the path to ensuring maximum data privacy.
As the debate evolves, and consumers start to execute their buying power with privacy as a purchasing criteria, we will move from compliance and “operationalising” the principles, to a new generation of privacy-aware consumers. And we need to service that societal transformation to the full.
David Francis has recently been appointed as Huawei’s Cyber Security Officer for the UK market