The limpid and floating “Privacy by design” concept

The European General Data Protection Regulation (GDPR) has been enforced since 25 May 2018 and applied to organizations across the world. In a data-driven society where analysing and understanding data is a competitive advantage for companies, GDPR serves as a legal safeguard to protect the privacy of all European citizens.

The “Privacy by Design” framework is one of the key concepts of this regulation and was developed by former Information and Privacy Commissioner of Ontario (Canada), Ann Cavoukian, in the 90s. She proposed a model that can be seen as almost medical, which would favour preventing privacy “diseases” over curing them.

Five years after E. Snowden’s surveillance disclosures about the NSA’s wiretapping, companies are more than willing to embrace this concept to regain customer trust. But is the concept of “Privacy by Design” as limpid as it seems?

“Privacy by Design”, 7 principles

The “Privacy by Design” framework is introduced in article 25 of GDPR: companies  should design every project in such a way that they ensure personal data privacy. If a project is “designed by privacy”, then the risk attached (data breach) to any personal data will become very low. To appreciate its scope in the best possible way, this concept relies on 7 principles:

Proactive, not Reactive; Preventative, not Remedial

By anticipating, companies should be able to ensure the highest level of privacy for every action that will collect, process or destroy personal data. In this way, they will also ensure a high level of security.

Privacy as the Default

Individuals are automatically protected. They do not have to ask or carry out any action to ensure they and their personal data are private and protected.

Privacy Embedded into Design

A product should be designed to respect the privacy of personal data that it will process. Ways of ensuring privacy for personal data are fully integrated at the beginning of the creation process for a new project, product or service.

Full Functionality — Positive-Sum, not Zero-Sum

The goal is to build a balanced relationship where users and companies benefit from the situation (win-win model). It is possible to create this situation with a high level of privacy and security where no parties will suffer any loss.

End-to-End Security — Lifecycle Protection

Personal data should be highly protected during its entire life cycle. Each action that collects, processes and even destroys the data should ensure the highest level of security for individuals.

Visibility and Transparency

A user should be able to verify their data, how it is stored, processed and secured.  Thanks to this, trust between the user and the company should be strengthened.

Respect for User Privacy

In a user-centric approach, the companies’ first concern should be to protect the users’ personal data as much as possible.


All these principles should be applied to companies, according to their purposes of processing personal data.

GDPR briefly presents some measures that can lead to implementation of the “Privacy by Design” concept into businesses. Here are some examples:

  • Data Minimization (article 5), the concept of collecting only the data that is needed
  • Pseudonymisation (article 25), the technique that replaces the identifying fields of personal data collected to ensure that a user cannot be identified by an external individual
  • GDPR also establishes specific deadlines for the conservation of personal data depending on its type


A floating implementation


Nevertheless, the instructions presented in GDPR are not sufficiently detailed and cannot be simply applied. Even if companies apply these measures, it will not be enough to consider a project as compliant.

The concept of privacy by design is not a checklist that can be ticked quickly and easily. There is no handbook or detailed process to follow.

For R. Jason Cronk, Author of “Strategic Privacy by Design” and Privacy and Trust Consultant, there is an explanation behind this vagueness: “Unfortunately, part of the strength of her 7 Foundational Principles of Privacy by Design are also their weakness. She (editor’s note: Ann Cavoukian)  purposefully made them robust and flexible to allow organizations to find their own methods to achieve them. However, privacy by design has remained frustratingly vague – its flexibility might be a virtue in some respects, but it is a curse in other respects.”


A case-by-case application

Privacy by design is a concept that must be applied case-by-case. Organisations should study and apply measures to comply, according to their use of personal data. In this case-by-case application, companies can sometimes feel “overwhelmed” and willing to turn to a qualified third-party if they have the financial means or they can count on their personal search or on associations (i.e. the AFCDP in France) where they can share their experience and practices with other companies. In France, the CNIL provides a guide for SMEs, to lead them up to a GDPR compliance.

The concept therefore remains vague and difficult to apply for companies. But if they have the opportunity to work with a qualified third-party or already have the structure to find a way to apply it properly, they have an incontestable asset.


The DPO, the weakest link?

The challenge can also be human. Indeed, applying this concept during the creation process of a project that aims to process personal data implies an organizational effort at all levels. “Privacy by design” should be the first and not second thought for every service implicated, at their respective level, in order to ensure that Data Protection Officers or relays are designated at key point services whose role it is to verify and advise the company on how to collect, process and store personal data to comply with the GDPR. Being compliant with GDPR is an ongoing process in the life cycle of a project and the DPO follows the evolution of the project and the legislation. The designated DPOs must be, above all, motivated. They oversee the application of GDPR in the activity of their service and its relay.

If one of the DPOs or relays does not feel concerned enough by applying it, then the creation process designed by privacy is weakened. When a relay is not applying it properly at their level, then there is a certain risk that some data is not processed properly according to GDPR.

One of the DPO’s main tasks is to advise his company. In order to advise it in a better way, the DPO should develop and “grow” a legislative culture around the regulations in force. A DPO should be curious and interested in the subject. If the DPO does not care enough about his responsibilities, the company will suffer because of this lack of knowledge.


Implementation and awareness are keys


“Privacy by Design” may be easy to understand but companies that try to apply it may feel like they are walking on eggshells. Because it is in the experimental stage, it remains hard to know where to begin but over time the best practices will emerge from this experience and will lead to a simple implementation.

Also, raising awareness is necessary and essential for ideal application. Malakoff Médéric’s DPO, Johanna Carvais-Palut, explains that in her company DPOs receive a formation from the CNIL, a monthly informative newsletter on the legal evolution and participate in monthly meetings.
Today, “Privacy by Design” is essential to ensure the life privacy for all individual but it is up to companies to make sure it happens, thanks to the resources they will gather.



Further reading: 

The reputation of FMCG companies in the digital era

The reputation of FMCG companies in the digital era

The last few years have seen the development of several new consumer trends.

The first one is the realisation of our impact on the environment and how it is important to preserve Mother Earth’s resources. People are more aware of their carbon footprint and are willing to make better choices.

The second trend is the multiplication of industrial scandals, for example in the textile or the consumer goods industries. As a consequence, consumers demand a better traceability of the products they buy.

Finally, people have become more willing to take care of their health by consuming better products and living a healthier lifestyle.

These trends have given consumers the will to be more educated about the ecosystem they live in.

They want to make more sustainable choices which will have a better impact on the environment, their health or society in general. As a consequence, new tools have appeared to help them in this journey. Digital has certainly played a key role in the democratisation of these new trends and values.

In the consumer goods industry, such tools can be apps, websites or blogs that can help consumers make their way across the aisles of supermarkets. People can now easily make the difference between the “good” products and the “bad” ones.

Credits: Louise Chapuis

One good example would be Yuka. Yuka is an app which allows you to scan the product you are planning on buying and then giving you information about its impact on your health. A product can be “bad”, “good” or “excellent”. In addition to Yuka, many blogs or social media accounts with the same philosophy have been created.

Following these new trends and the rise of information flows, FMCG companies have seen their reputation being endangered. Consumers are now able to make the difference between two kinds of brands:

  • the brands that use healthy ingredients and put their customers at the heart of their values,
  • the brands that prefer to make choices based on budget restrictions and delivering a product that will appear as healthy but is not.

Companies are now having to change their business model and focus on giving their customers better products.

Recently, Carrefour, one of the biggest French supermarket chain has launched a new communication campaign called “Act For Food”. With this strategy, the company is promoting a new business model: a better traceability of their products and organic foods without any additives or controversial ingredients. Alexandre Bompard, their CEO, wants Carrefour to be “the world leader in the food transition for everyone”. This surely has helped them improve their reputation over the last few weeks.

On the other side, some companies have greatly suffered from the gain of knowledge of consumers. In general, candy companies have not made a lot of efforts to take advantage of these trends and restore their image. The most significant example is Mondelez International ranking 71 out of 100 on Barron’s “World Most Respected Companies” in 2017. They are not far from Monsanto or Goldman Sachs who are known for having a terrible reputation. The large snacks company is suffering from customers reading labels more carefully. They are now being threatened by new smaller companies promoting organic and healthier snacks.


The trends mentioned above have truly transformed the landscape of consumer goods companies. The latter have at their heart keeping a good reputation. By allowing consumers to be more educated, digital is challenging FMCG companies to provide better products.


The reputation of FMCG companies in the digital era

Hashtag: origin and impact on the social media environment


Last year the hashtag, one of the most influent sign in the digital area, celebrated its 10th birthday. Nowadays almost everybody has used (at least once) a hashtag on Twitter, Facebook or Instagram.

According to Les Echos, more than 125 million hashtags are used per day in 2017. This figure is increasing since the creation of the Hashtag in 1988.

But where does the Hashtag come from ? what is its impact on the social media environment?

 The origin of the Hashtag

A google idea :

Essential on the social network today, the hashtag, was born in 2007. It was created by a Google engineer called Chris Messina. Initially, he used it to classify tweets talking about the same theme. Hashtag comes from the verb hash, so you have to hash or classified by using # and a word. The primary function was to classify and list contents in order to find it easily on the web. But after, he proposed to create discussions flow linked to each other by a Hashtag.


How to combine online and offline techniques for a better customer journey?

90% of purchases are made offline. According to the Wall Street Journal, eventhough visits in store have decreased, stores revenue is higher by 15% in 2016 in comparison to 2012. However, this fact does not mean that digital is not important in retail: the online searches prior to store visit have increased by 7% between 2012 and 2016. As soon as the customer enters the store, he knows what and why he wants to buy. For that purpose, the Multichannel strategies are emerging. The customers are doing some research on the internet before going into a store. Today, “banking, retail, and other sectors are still struggling to devise the perfect cross-channel experiences for their customers—experiences that take advantage of digitization to provide customers with targeted, just-in-time product or service information in an effective and seamless way” (Article from Mckinsey in June 2014).

Source: ShopperTrack data for November/December 2015 as cited in Wall Street Journal


The reputation of FMCG companies in the digital era

Credo application: A Tv-show inspired app with a dystopian aftertaste?

As our society and economy are increasingly digitized, rating the quality of services and companies is all the rage in many sectors. Airbnb, YELP, The Fork, Uber, Glassdoor, and many others are establishing a new feedback norm accessible from everyone’s phone or computer. Surely, it allows users to access better insights before making their choice and improving their experience at the same time.

But what if this trend was extended to rating not only services or companies but also individuals themselves? As a digital native and a TV show binge watcher, I regularly watch a TV Show which imagines with a dystopian angle our future behaviour in relation to the Internet, technological developments and our relationship to social networks.
If you are a fan of the “Black Mirror” TV Show, you certainly remember the episode named “Nosedive”, in which all people lived around a rating app. In this episode, the young woman Lacie lives for one purpose only: to be correctly noted by others to be able to access her dream house.
Well, fiction just partly became reality with the launching of the Credo application.