Privacy by design is a concept that states that organisations must consider privacy concerns at the outset of data processing practices, rather than applying features retroactively.
It’s one of the guiding principles of the GDPR (General Data Protection Regulation), and is discussed specifically in its ‘data protection by design and default’ requirements.
Organisations must therefore understand how privacy by design works and implement its principles. Doing so will not only help them meet their compliance requirements but also mitigate cyber security risks.
This means that organisations must:
- Implement appropriate technical and organisational measures designed to implement the data protection principles; and
- Integrate safeguards to comply with the GDPR’s requirements and protect the individuals’ rights.
So, how can you unsure this isn’t the case? We explain everything you need to know in this blog.
What is data protection by design?
To achieve privacy by design and data protection by design, organisations must conduct DPIAs (data protection impact assessments) whenever they create a new system, service product or process that involves the use of personal data.
They must also implement technologies and create processes and policies to mitigate the risks that are discovered in the DPIA.
Organisations must also write privacy notices and data protection policies that explain their practices in simple language, and provide data subjects with the name and contact details of their DPO (data protection officer) or whoever is responsible for data protection.
What is data protection by default?
To achieve data protection by default, organisations must ensure that they only perform data processing activities if they are necessary to achieve a specific, documented goal.
The concept relates to the GDPR’s principles of data minimisation and purpose limitation, and requires that organisations:
- Assume a ‘privacy-first’ stance when developing the default settings of systems and applications;
- Ensure that they individuals always have a genuine choice when you ask to process their personal data;
- Don’t processing additional information without data subjects’ consent;
- Ensure that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
- Provide individuals with the means to exercise their data subject rights.
Your compliance requirements
Article 25 of the GDPR outlines two steps organisations should take to achieve data protection by design and default.
First, the data controller must implement appropriate technical and organisational measures designed to protect individuals’ personal data, “taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing”.
In other words, there is no one-size-fits-all solutions. Rather, organisations should adopt measures based on the scale of the risk and the resources they have available.
The GDPR suggests that pseudonymisation and encryption are two technologies that organisations should consider, but other than that, it refrains from giving specific examples.
Second, organisations should ensure that their technical and organisational measures also protect individuals’ privacy. This means that they must:
- Collect only as much data as is necessary;
- Use it only for the purpose for which it was initially collected;
- Keep it for only as long as it is required; and
- Make it available to relevant personnel.
Implementing privacy by design
Now that you understand the GDPR’s data privacy and data protection principles, you must assess whether your organisation is compliant.
We can help you do that with our free Privacy by Design – Step by step green paper.
This guide provides a more in-depth look at your compliance requirements, explaining its seven foundational principles and detailing practical things you can do to implement those principles.
Those looking for more hands-on help might also be interested in our Privacy by Design Foundation Training Course.
This Foundation-level course provides a complete introduction privacy by design, and helps you get to grips with how to incorporating the method into your projects.
Our specialists provide an interactive course to help you incorporate privacy by design seamlessly into your products and services.
A version of this blog was originally published on 9 March 2018.