What exactly is Data Protection by Design? Just another GDPR ‘buzzword’? – or a vital organisational component for data privacy?
Since the ‘official launch’ of the General Data Protection Regulation (GDPR) in May 2018, organisations across the globe have faced the task of understanding the meaning and implications of a raft of new terms, including privacy by design and by default. Perhaps understandably, many of the GDPR’s associated key terms have become nothing more than buzzwords in some circles. However, it would be a mistake to ignore a key term like ‘Data Protection by Design’, since it ensures that you consider data protection and privacy issues at the design stage of every service, product, system or process and continues throughout the life cycle. For the first time, GDPR addresses data protection by design as a legal obligation for data controllers and processors, making an explicit reference to data minimisation and the possible use of pseudonymisation. On top of this, it introduces the obligation of data protection by default, going a step further into stipulating the protection of personal data as a default property of systems and services. According to the ICO, Data Protection by Design requires you to:
- put in place appropriate technical and organisational measures designed to implement the data protection principles; and
- integrate safeguards into your processing so that you meet the GDPR’s requirements and protect the individual rights
In simple terms, this means that you must have a proactive approach to privacy and data protection and it should be integral within your organisation and its data processing activities. Here is what the GDPR Article 25 (1) specifies as the requirements for Data Protection by Design:
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Examples of applications for Data Protection by Design
Here are five examples of Date Protection by design:
- developing new IT systems, products, services and processes that involve the need to process personal data;
- developing organisational policies, processes, business practices and strategies that have privacy implications;
- physical design;
- embarking on data sharing initiatives; or
- using personal data for new purposes
The underlying concepts of Data Protection by Design are by no means new, since the term ‘privacy by design’ has actually existed for many years. Basically, data protection by design includes the privacy-by-design approach into data protection law. Under the 1998 Act, the ICO supported this approach because it helped organisations to comply with their data protection obligations. Now, it is a legal requirement.
What is data protection by default?
Data protection by default, also known as “privacy by default,” is a fundamental principle of data protection and privacy regulation, designed to enhance individuals’ control over their personal data. It is a key aspect of regulations like the General Data Protection Regulation (GDPR) in the European Union. The principle emphasises that organizations should automatically implement strong privacy measures and safeguards when processing personal data, without requiring users to take extra steps to protect their privacy.
In practical terms, data protection by default means that organisations should configure their systems, processes, and services in a way that minimizes the collection, processing, and retention of personal data to what is necessary for the specific purpose. This involves several key elements:
- Minimisation of Data: Organizations should collect and process only the minimum amount of personal data necessary to achieve the intended purpose. Unnecessary data collection should be avoided.
- Purpose Limitation: Data should be collected and processed for specific, explicit, and legitimate purposes. Any further processing should be compatible with these original purposes.
- Data Retention: Ensure that personal data is not retained for longer than necessary for the intended purpose. Clear retention periods and processes for data deletion should be in place.
- User Control: Users should be provided with clear and accessible privacy settings that allow them to control how their personal data is used. Default settings should prioritize the highest level of privacy.
- Security Measures: Strong security measures should be implemented by default to protect personal data from unauthorized access, breaches, and other risks.
- Transparency: Organizations should provide clear and understandable information to users about how their data will be processed, including the purposes, legal basis, and any third parties involved.
- Consent Mechanisms: If data processing requires user consent, default settings should not assume consent and should avoid pre-ticked checkboxes or other forms of presumed consent.
The concept of data protection by default is closely related to the principle of data protection by design, which emphasises integrating privacy considerations into the design of systems, processes, and services from the very beginning. Together, these principles aim to create a privacy-conscious environment where user data is handled responsibly, and individuals are empowered to make informed choices about their personal information.
To find out about data protection by default, read our blog here.
