Privacy and Data Protection by Design - from policy to engineering

The European Union Agency for Network and Information Security (ENISA) is a centre of network and information security expertise for the EU, its member states, the private sector and Europe's citizens. ENISA works with these groups to develop advice and recommendations on good practice in information security. It assists EU member states in implementing relevant EU legislation and works to improve the resilience of Europe's critical information infrastructure and networks. ENISA seeks to enhance existing expertise in EU member states by supporting the development of cross-border communities committed to improving network and information security throughout the EU. More information about ENISA and its work can be found at www.enisa.europa.eu. Contact For contacting the authors please use [email protected] For media enquires about this paper, please use [email protected]. Acknowledgements We have discussed this work with numerous people at various occasions; we thank for the valuable input we got from these discussions. While we cannot name all, we would like to thank Sébastien Gambs and Rosa Barcelo for their feedback on drafts of this report. Legal notice Notice must be taken that this publication represents the views and interpretations of the authors and editors , unless stated otherwise. This publication should not be construed to be a legal action of ENISA or the ENISA bodies unless adopted pursuant to the Regulation (EU) No 526/2013. This publication does not necessarily represent state-of the-art and ENISA may update it from time to time. Third-party sources are quoted as appropriate. ENISA is not responsible for the content of the external sources including external websites referenced in this publication. This publication is intended for information purposes only. It must be accessible free of charge. Neither ENISA nor any person acting on its behalf is responsible for the use that might be made of the information contained in this publication. Executive summary Privacy and data protection constitute core values of individuals and of democratic societies. This has been acknowledged by the European Convention on Human Rights 1 and the Universal Declaration of Human Rights 2 that enshrine privacy as a fundamental right. With the progress in the field of information and communication technologies, and especially due to the decrease in calculation and storage costs, new challenges to privacy and data protection have emerged. There have been decades of debate on how those values—and legal obligations—can be embedded into systems, preferably from the very beginning of the design process. …