Privacy–by-design is becoming a pressing need for industry to adopt widely as it is becoming increasingly endorsed at European legal framework level, driven by factors like the need to be fully compliant in the management of increasingly larger volumes of business data (including personal and sometimes sensitive data) in a context of complex cross-border data flows and dematerialization of borders (e.g. Cloud Computing, IoT, Future Internet, Big Data, BYO…).
However, privacy-by-design is a concept which is widely used today, but its meaning remains vague and confusing when it comes to its implementation in practice as part of the engineering process of software and systems. Privacy engineering is still a rather young concept with multiple on-going standardization efforts and where best practices still need to be developed and agreed upon by a complex array of stakeholders.
The EU co-funded project PRIPARE (Preparing Industry to Privacy-by-design by supporting its Application in Research) has undertaken work to merge and connect existing best practices in the area of privacy-by-design; leveraging their best features whilst addressing their weak points, and thereby developing a unique methodology aimed at the complex ecosystem of all stakeholders involved in producing privacy-friendly systems, and which addresses the whole personal data and system development lifecycle (SDLC), thus contributing to the advent of unhindered usage of Internet against disruptions, censorship and surveillance.
The main outcome of PRIPARE is a privacy and security-by-design software and systems engineering methodology, developed using the combined expertise of the industry and the research community, taking into account multiple viewpoints (advocacy, legal, engineering, business), applicable by companies and organizations of all sizes during the full lifecycle of the system and for any personal data which may be collected, stored or processed, including special categories of personal data (sensitive data).
PRIPARE methodology is built upon the combination of best-of-breed privacy and security approaches such as privacy impact assessments or privacy risk management methodologies and is heavily influenced by existing standards (e.g. ISO29100, 29101 or OASIS PMRM and PbD-SE).
Systems engineered applying the PRIPARE methodology will be best prepared for the early-discovery of potential privacy issues, allowing organizations to:
- Optimize the costs of developing privacy-enhanced or respectful systems by addressing discovered issues in early phases of the engineering lifecycle.
- Avoid vis-à-vis costs costs associated to non-compliance of applicable regulatory provisions (i.e. fines with the forthcoming EU General Data Protection Regulation, may be up to the 5% of the organizations worldwide turnover) and lose of trust by customers, citizens and/or business partners.
- Benefit from the a strong competitive advantages that stem from offering secure privacy-friendly services and products.