Privacy by design is a concept that states that organisations must consider privacy concerns at the outset of data processing practices, rather than applying features retroactively.
The principle is included in the GDPR (General Data Protection Regulation), under its ‘data protection by design and default’ requirements.
It’s essential that organisations understand how to achieve this – not only to meet their compliance requirements but also to mitigate cyber security risks.
This means that organisations must:
- Implement appropriate technical and organisational measures designed to implement the data protection principles; and
- Integrate safeguards to comply with the GDPR’s requirements and protect the individuals’ rights.
So, how can you unsure this isn’t the case? We explain everything you need to know in this blog.
Understanding data protection by design
To achieve data protection by design, organisations must conduct DPIAs (data protection impact assessments) whenever they create a new system, service product or process that involves the use of personal data.
They must also implement technologies and create processes and policies to mitigate the risks that are discovered in the DPIA.
Organisations must also write privacy notices and data protection policies that explain your practices in simple language, and provide data subjects with the name and contact details of their DPO (data protection officer) or whoever is responsible for data protection.
You should note that this isn’t a comprehensive list; data protection by design isn’t necessary a set of requirements as much as it is a general approach to GDPR compliance.
Meeting your requirements means anticipating data protection and privacy issues, and taking whatever steps are necessary to address them.
Understanding data protection by default
To achieve data protection by default, organisations must ensure that they only perform data processing activities if they are necessary to achieve a specific, documented goal.
The concept relates to the GDPR’s principles of data minimisation and purpose limitation, and requires that organisations:
- Assume a ‘privacy-first’ stance when developing the default settings of systems and applications;
- Ensure that they individuals always have a genuine choice when you ask to process their personal data;
- Don’t processing additional information without data subjects’ consent;
- Ensure that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
- Provide individuals with the means to exercise their data subject rights.
What do organisations have to do?
Article 25 of the GDPR outlines two steps organisations should take to achieve data protection by design and default.
First, the data controller must implement appropriate technical and organisational measures designed to protect individuals’ personal data, “taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing”.
In other words, there is no one-size-fits-all solutions. Rather, organisations should adopt measures based on the scale of the risk and the resources they have available.
The GDPR suggests that pseudonymisation and encryption are two technologies that organisations should consider, but other than that, it refrains from giving specific examples.
Second, organisations should ensure that their technical and organisational measures also protect individuals’ privacy. This means that they must:
- Collect only as much data as is necessary;
- Use it only for the purpose for which it was initially collected;
- Keep it for only as long as it is required; and
- Make it available to relevant personnel.
Privacy by design training
You can find out how to implement these measures with our Privacy by Design Foundation Training Course.
This Foundation-level course provides a complete introduction privacy by design, and helps you get to grips with how to incorporating the method into your projects.
Our award-winning specialists provide an interactive course to help you incorporate privacy by design seamlessly into your products and services.
A version of this blog was originally published on 9 March 2018.