The EU General Data Protection Regulation (GDPR) requires organisations to adopt the principles of “privacy by design and by default”. These concepts require organisations to embed security measures into their systems at the outset, rather than applying features retroactively. It should be applied whenever an organisation:
- Builds a new IT system for storing or accessing personal data;
- Develops policy or procedures that have privacy implications;
- Develops a data sharing initiative; or
- Uses data for new purposes.
Privacy by design is crucial for organisations – not only because it’s a compliance requirement of the GDPR, but also because it acknowledges the need to rethink cyber security processes. The threat of data breaches rises each year, and organisations have so far struggled to find effective solutions. Adopting a privacy by design approach will increase organisations awareness of privacy and data protection issues, helping them identify and address vulnerabilities promptly.
What do organisations have to do?
Article 25 of the GDPR outlines two steps organisations should take to achieve privacy by design.
First, the data controller, “taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, [should] implement appropriate technical and organisational measures”. The Regulation recommends pseudonymisation and encryption, used either simultaneously or separately.
Second, the data controller should implement appropriate technical and organisational measures to ensure that the organisation:
- Collects only as much data as is necessary;
- Uses it only for the purpose for which it was initially collected;
- Keeps it for only as long as it is required; and
- Makes it available to relevant personnel.
Putting the GDPR into practice
Those who want to learn more privacy by design and the other requirements of the GDPR should consider enrolling on our Certified EU General Data Protection Regulation (GDPR) Foundation and Practitioner Combination Course.
This five-day course provides a comprehensive overview of the GDPR and gives you practical advice on planning, implementing and maintaining a GDPR compliance programme. It’s delivered by an experienced data protection practitioner, and is ideal for both managers who are already involved in data protection and individuals who want to get started in the field.