Data protection by design and by default are key principles in the GDPR, recognising the need for privacy to be ensured through design and maintenance of information systems. It can be seen as an approach to project management that promotes privacy and data protection compliance from the start, rather than an afterthought, which is the case most of the time at present.
Through implementing privacy by design a data controller must be taking into account:
the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
A data controller must also ensure that by Default, only personal data which is necessary for each specific purpose of the processing must be processed.
This also relates to the accountability principle, right?
Yes. The GDPR includes provisions that promote accountability and governance, including the new accountability principle in Article 5 (2) which states the controller is responsible for, and must demonstrate their compliance with the data protection principles and is their responsibility. Demonstrating you comply with this principle requires implementing measures associated with data protection by design and by default, and good practice tools like data protection impact assessments.
How to demonstrate that you comply with the accountability principle?
ICO states you must:
- Implement appropriate technical and organisational measures that ensure and demonstrate that you comply. This may include internal data protection policies such as staff training, internal audits of processing activities, and reviews of internal HR policies.
- Maintain relevant documentation on processing activities.
- Where appropriate, appoint a data protection officer. (read SOZO’s section on ‘Do I need a Data Protection Officer?’)
- Implement measures that meet the principles of data protection by design and data protection by default. Measures could include:
- Data minimisation;
- Allowing individuals to monitor processing; and
- Creating and improving security features on an ongoing basis.
- Use data protection impact assessments where appropriate. (See below)
If you want more help, here is a Data protection self assessment toolkit provided by the ICO.
Data Protection Impact Assessment (DPIA) or Privacy Impact Assessment (PIA)
A Data Protection Impact Assessment (DPIA), also known as a Privacy Impact Assessment (PIA), is a process which helps an organisation to identify and reduce the privacy risks of a project, plan or proposal early on. ICO states that “an effective PIA will be used throughout the development and implementation of a project, using existing project management processes. A PIA enables an organisation to systematically and thoroughly analyse how a particular project or system will affect the privacy of the individuals involved.” DPIA’s are a mandatory requirement in situations where data processing is likely to result in high risk to individuals, for example:
- where a new technology is being deployed;
- where a profiling operation is likely to significantly affect individuals; or
- where there is processing on a large scale of the special categories of data
- when dealing with children's data.
Start assessing situations within your business where it might be necessary to conduct a DPIA. It’s advised to carry out a DPIA for all systems and projects dealing with personal data as they are at the heart of building a privacy by design approach. Conducting a Privacy Impact Assessment will help organisations identify the most effective way to comply with their data protection obligations. The need for a PIA can be identified as part of an organisation’s normal project management process. The ICO has provided a free PIA code of practice document containing templates to record the assessment and initial screening questions to determine if a PIA is needed.
The ICO will publish a list of processing operations where DPIA’s will be mandatory.
Some practical implications
With privacy by design and privacy by default being explicitly mentioned in the GDPR, companies should start looking at implementing internal processes and procedures to address these requirements. Some advisable actions include:
- Creating a privacy impact assessment template (explained in more detail later) for the business to use each time it designs, procures or implements a new system, project or plan that incorporates personal data.
- Reviewing any data collection forms such as enquiry forms or web pages and ensuring that excessive data is not collected.
- Implementing a tool for the automated deletion of particular personal data and for alerting when personal data has reached a particular period and is going to be deleted.
Privacy by design (PbD) and data protection by default will become compulsory on 25 May 2018 with GDPR. Currently there aren’t any guidelines on how to implement a privacy by design approach however we can look at the backbone to the principle below to help getter a better understanding and the direction it’s heading.
The background of Privacy by Design (PbD)
We can look at the principles originally created by the Ontario data protection authority which is the father of the privacy by design approach, to help get a better understanding of what GDPR may entail for data protection by design.
This PbD framework has seven foundational principles:
- Privacy must be proactive, not reactive, and must anticipate privacy issues before they reach the user. Privacy must also be preventative, not remedial.
- Privacy must be the default setting. The user should not have to take actions to secure their privacy, and consent for data sharing should not be assumed.
- Privacy must be embedded into design. It must be a core function of the product or service, not an add-on.
- Privacy must be positive sum and should avoid dichotomies. For example, PbD sees an achievable balance between privacy and security, not a zero-sum game of privacy or security.
- Privacy must offer end-to-end lifecycle protection of user data. This means engaging in proper data minimization, retention and deletion processes.
- Privacy standards must be visible, transparent, open, documented and independently verifiable. Your processes, in other words, must stand up to external scrutiny.
- Privacy must be user-centric. This means giving users granular privacy options, maximized privacy defaults, detailed privacy information notices, user-friendly options and clear notification of changes.
These were first published back in 2009 and was the first widely presented notion of implementing privacy directly into the design of information technologies and systems. GDPR makes explicit reference to data minimization (principle 5) and the possible use of pseudonymisation, and privacy by default which is seen in principle 2. So using these principles will help guide a company into becoming compliant with, and implementing a data protection by design and by default approach.
Disclaimer: The information in this article is for your general guidance only and is not and shall not constitute legal advice. If you need advice on your rights or responsibilities or any legal advice around data protection matters, please obtain specific legal advice and contact an adviser or solicitor, or consult the Information Commissioner’s Office (ICO – https://ico.org.uk/)