What is Data Protection by Default?

Although closely related, Data Protection by Default involves a different set of principles and requirements to those covered by Data Protection by Design.

The essential requirement of Data Protection by Default is that you only process the data that is necessary to achieve your specific purpose. It is linked to the fundamental data protection principles of data minimisation and purpose limitation.

In order to achieve your purpose(s) you have to process some Personal Data. Data Protection by Default means that you must:

  • specify this data before commencing any processing;

  • inform individuals of the processing; and

  • only process the data needed to achieve your purpose

You are not required to adopt a 'default to off' solution. You need to think carefully about any potential risks posed to individuals by your intended processing.

You should consider the following before starting any processing:

  • adopt a 'privacy-first' approach with any default settings in systems and applications;

  • make sure that you do not provide an illusory choice to individuals, relating to data being processed;

  • do not process any additional data, unless the individual has given their consent;

  • ensure that personal data is not automatically made publicly available to third parties, unless the individual decides to make it so; and

  • always provide individuals with the means and options to exercise their rights.

In addition to the above, you should try to minimise the processing of personal data and enhance data privacy by replacing identifying fields within a record by one or more artificial identifiers, or pseudonyms.

Ensure transparency with regard to the functions and processing of personal data and enable individuals to monitor the processing. Create effective (and improve existing) security features.

How to comply with Data Protection by Default in practice

Be proactive, not reactive, by treating data protection as a vital component of the design and implementation of your systems, products, services, business processes. You can start by following these principles.

  • Make Data Protection by Default an essential component of core functionality of processing systems and services;

  • Only process personal data that is needed for specific purposes(s);

  • Automatically protect personal data in all of your IT systems, services, products, and business processes. (Individuals should not have to take specific action to protect their privacy);

  • Provide the contact information of people in your organisation responsible for data protection;

  • Ensure that individuals can easily understand how you are using their personal data and adopt a 'plain language' policy for all public documents;

  • Provide individuals with the necessary means to determine how their personal data is used and whether your organisation is enforcing its policies appropriately.

  • Provide strong privacy defaults and user-friendly controls and options.

  • Always respect your users' preferences.

See also Data Protection by Design

Source: Information Commissioner's Office. Data Protection by Design and Default.

For confidential advice on Data Protection by Default contact Peter Borner at The GDPR Guys.