Privacy by design is a concept in which organisations emphasise privacy concerns at the outset of data processing practices, rather than applying features retroactively.
It’s one of the guiding principles of the GDPR (General Data Protection Regulation), and is discussed specifically in its ‘data protection by design and default’ requirements.
Organisations must therefore understand how privacy by design works in the GDPR and implement its principles. Doing so will help them meet their compliance requirements and mitigate cyber security risks.
This means that organisations must:
- Implement appropriate technical and organisational measures designed to implement the data protection principles; and
- Integrate safeguards to comply with the GDPR’s requirements and protect the individuals’ rights.
What is data protection by design?
At the heart of privacy by design and data protection by design are DPIAs (data protection impact assessments). These must be completed whenever an organisation creates a new system, service product or process that involves the use of personal data.
They must also implement technologies and create processes and policies to mitigate the risks that are discovered in the DPIA.
Organisations must also write privacy notices and data protection policies that explain their practices in simple language. Additionally, they must provide data subjects with the name and contact details of their DPO (data protection officer) or whoever is responsible for data protection.
What is data protection by default?
To achieve data protection by default, organisations must ensure that they only perform data processing activities if they are necessary to achieve a specific, documented goal.
The concept relates to the GDPR’s principles of data minimisation and purpose limitation, and requires that organisations:
- Assume a ‘privacy-first’ stance when developing the default settings of systems and applications;
- Ensure that the individuals always have a genuine choice when you ask to process their personal data;
- Don’t process additional information without data subjects’ consent;
- Ensure that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
- Provide individuals with the means to exercise their data subject rights.
Your compliance requirements
Article 25 of the GDPR outlines two steps organisations should take to achieve data protection by design and default.
First, the data controller must implement appropriate technical and organisational measures designed to protect individuals’ personal data.
The GDPR states that this process must “[take] into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing”.
In other words, there is no one-size-fits-all solution. Organisations must instead adopt measures based on the scale of the risk and their available resources.
The GDPR suggests that pseudonymisation and encryption are two technologies that organisations should consider, but other than that, it refrains from giving specific examples.
Second, organisations should ensure that their technical and organisational measures protect individuals’ privacy. This means that they must:
- Collect only as much data as is necessary;
- Use it only for the purpose for which it was initially collected;
- Keep it for only as long as it is required; and
- Make it available to relevant personnel.
Implementing privacy by design and default
Now that you understand the GDPR’s data privacy and data protection principles, you must assess whether your organisation is compliant.
We can help you do that with our free Privacy by Design – Step by step green paper.
This guide provides a more in-depth look at your compliance requirements. It explains its seven foundational principles and details practical things you can do to implement those principles.
Those looking for more hands-on help might also be interested in our Privacy by Design Foundation Training Course.
This Foundation-level course provides a complete introduction privacy by design, and helps you get to grips with how to incorporating the method into your projects.
Our specialists provide an interactive course to help you incorporate privacy by design seamlessly into your products and services.
A version of this blog was originally published on 9 March 2018.