Privacy by design

The last decade has shown a rapid growth of concern among citizens about privacy.

Protection of personal data and the right to preserve anonymity are back in the spotlights. Policy makers have made every effort to react to the worry. As a consequence, regulations on data processing are being tightened.


The European General Data Protection Regulation (GDPR) that will come into force strengthens the position of EU citizens with regard to their data, making tough demands on organizations that collect data and raising financial sanctions on infringing the regulation. How will the changes impact data-driven entities?

Among the ‘civil’ rights to be established by GDPR are:

  • easier access to people’s personal data
  • transparency around how these data are processed
  • explicitly object to storage and/or use of one’s data
  • data portability, transfer of data to third parties, and
  • the right to be forgotten (let data instantly evaporate or posteriorly be erased)

For many institutions, the processing measures in GDPR will set new obligations like the registration of data leaks, the appointment of a dedicated Data Protection Officer and the introduction of data protection impact assessments.

Data management

The on-going explosion of generated data has not only fuelled the privacy debate.

It has also led to the ubiquity of 360-degree customer view initiatives. More data allows for better insights, may facilitate new points of view or just harness already available predictive models.

State-of-the-art data processing capabilities are an important requirement to successfully realize the 360 ambitions. Not only to arrange for the integration of data from different resources. Above all, these capabilities are necessary to reach a more sophisticated level of data governance – privacy by design.

Privacy by design is an approach that puts privacy central throughout the process of system design aimed at data management and meeting customer expectations or user experience. The concept originates in a report on “Privacy-enhancing technologies” fruit from a Canadian – Dutch cooperation back in 1995.



Consent management

The crucial foundation for this approach, however, is not in Agile working or an alternative emphasis on multidisciplinary development. The basic condition is an explicit consent given by the person whose data are at stake. Caveat, this is quite different from the well-known ‘got-it’ click that characterizes actual cookie consent.

Distinguishing between different levels of consent – e.g. give anonymous or personal data (customer vs. operator in control), let data evaporate instantly (the right to be forgotten) or transfer them externally – will more and more become the standard. Full transparency on what use and how will be made of the data an integral part of it. As an example, a description like “optimizing the website” will be considered to be rather frugal. The finishing touch is in the stringent administration of consents, just as entities register an address or the birthdate on their customer records. Relying on version management, this is to say, if you visited us at April 1 or December 28 we presented text 15.12 or 16.04 rapidly shall be obsolete.

Customer perception is key

Although compliant data governance could be an issue that does not keep you busy, we have IT and Legal well positioned to say something, please be aware that the hurdle to overcome is not only technical or juridical. At the end of the day customers, citizens and even institutions only will embrace data processors that make relevant use of data. To that extent, consent will become an asset actively to be gained.

The touchstones for consent thus will not only be any more ‘protection’ or ‘security’, increasingly it will be if customers perceive a fair deal while ceding their data.


By: Herman Huizinga, Principal Consultant Business Intelligence