Putting Privacy by Design and by Default in Practice: Unveiling the internal inconsistencies and external constraints of the General Data Protection Regulation (GDPR) and propounding solutions *
My Thesis investigates GDPR’s internal inconsistencies and external constraints, towards the realization of Privacy by Design and Privacy by Default (PbDD). It also looks at how the rights to privacy and data protection have been accosted by the emerging of new data processing paradigms such as big-data analytics, digital marketing targeting and profiling, and “new to the world” technologies.
The ‘operationalisation’ of the law – bridging and incorporating legal requirements into information systems and contemporary business operations – as mandated by Article 25 GDPR, has been flagged by many scholars, practitioners, and organisations as one task of very difficult accomplishment. I investigate whether the contemporary technical and organisational practicalities involving the electronic processing of personal data, which not always seem to be compatible with the PbDD measures prescribed by the Regulation, are aspects that impede, de facto, organisations from achieving compliance. I also investigate whether some aspects of the law have become unduly complex, resulting in the occasional impossibility of its practical application.
Through the exercise of comparing privacy implementation frameworks based on management and optimization of risk, against systems based on a “rights-first” approach, I lift the veil of more privacy-friendly and “humane” compliance mechanisms that can be used by organisations, which, by operating outside the mainstream ‘economic logics’, are deemed to more effectively embrace the data protection principles established by GDPR and, therefore, ensure a higher level of compliance with the Regulation. I name my data protection compliance model “Data Protection Principles Approach”, or, DPPA framework.
The methodology of my work is mainly doctrinal, build upon the study of legislation and case law authority, and informed by literature focusing on the theories of privacy and data protection, which when combined with the study of contemporary businesses’ practices, results in an interdisciplinary conversation between legal scholarship and disciplines such as business management, information systems management, and cyber-security to provide better outcomes.
My thesis asserts that data protection legislation should move towards the application of more coherent, and perhaps stringent, mechanisms of protection of individual’s digital rights, and invites both, organisations and the legislator, to note the validity and applicability of my compliance model in the context of effective operationalisation of data protection into businesses’ sectors.
* WIP = Work In Progress