When the General Data Protection Regulation came into effect in May 2018, it introduced a requirement for organisations to put in place appropriate technical and organisational measures to implement the data protection principles into business processes and practices. This is known as ‘data protection by design and by default’.
Data protection by design is not a new concept. Many organisations will already be familiar with making data protection a deliberate part of the design process. However, what has changed is that where data protection by design was simply good practice under the old Data Protection Act 1998, it is now a legal requirement under the GDPR to do that and more.
Moving from Data Protection by Design to Data Protection by Design and Default
Data protection by default requires organisations to ensure that their systems only process the data necessary to achieve their specific purpose. The “default” part means designing in the maximum level of data protection not the minimum. Examples of data protection by default include ensuring that personal data is not automatically made available to others through the back end of a system or by excessive access permissions and providing data subjects with sufficient controls and options to exercise their rights easily and quickly.
The good news is that if you have already adopted a data protection by design approach to business processes and practices, you will be well placed to adapt to the new regime introduced by the GDPR.
What is Required?
The requirement under the GDPR is to have ‘appropriate technical and organisational measures designed to implement the data protection principles and safeguard individual rights’.
It goes on to say you should consider:
- the state of the art and costs of implementation of any measures;
- the nature, scope, context and purposes of your use of personal information; and
- the risks that your use of personal information poses to the rights and freedoms of individuals.
In the second stage of the concept, you must put in place actual technical (i.e. hardware and software) and organisational (i.e. policies and training) measures to implement the data protection principles and integrate safeguards into the system or business process.
The Information Commissioner’s Office (ICO) is the UK’s privacy watchdog. The ICO has produced extensive guidance for organisations on how to do data protection by design and default.
In its guidance, the ICO lists the following fundamental principles as a suggested way of approaching data protection by design and default:
- Proactive not reactive; preventative not remedial – this includes building a culture of strong data protection compliance within an organisation;
- Privacy as the default setting – ensuring individuals do not have to be proactive in order to ensure their information is protected;
- Privacy embedded into design – ensure data protection is embedded and integral to business processes and systems;
- End-to-end security – full lifecycle protection – ensure data protection throughout a process, from the collection of information at the beginning to setting appropriate retention periods and arranging secure disposal at the end of the lifecycle;
- Visibility and transparency – ensure that individuals know what information the organisation is processing about them and for what purpose(s); and
- Respect for user privacy – Keep the rights of individuals paramount in the design and implementation of any system or process.
Data Protection Impact Assessments (DPIAs)
DPIAs are a tool to use to ensure the above principles are considered. There is a legal obligation to conduct a DPIA prior to implementing a new system or business process where the GDPR rules require it.
The concept of data protection by design and default is broader and must be applied whether or not a formal DPIA is mandatory. Therefore, we recommend that DPIAs are always part of your project plan to ensure a consistent approach.
An effective DPIA:
- describes the nature, scope, context and purposes of the processing;
- assesses necessity, proportionality and compliance measures;
- identifies and assesses risks to individuals; and
- specifies additional measures to mitigate those risks.
As part of the DPIA, you will be required to consult with your Data Protection Officer (if you have one) and potentially with individuals to identify any concerns they may have about your future use of their personal information especially if you already hold the data.
Our Three Tips
- Just because you can doesn’t mean you should. Large scale data processing, matching and sharing is easy to achieve and may seem to add value because data and analytics are saleable. Avoid this trap if it isn’t the main purpose of the project and, if it is, then set up the system transparently to say that. Setting up a system to harvest personal data secretly that might be monetised later should not get past the first assessment.
- See it from the user’s perspective. Have someone in the process advocate the user’s position and ask “why do you want that information?” and “what are you doing with it?” and most importantly “how can I change what you do with my information?”. If the answers aren’t clear and easy to find and use then the project isn’t finished.
- Buyers want compliance. Especially in the public sector, procurement specifications increasingly require data protection built into systems. We advise clients with systems lacking internal access controls or deletion options to get a better system. Inadequate built-in protection in a cheap system will produce a replacement order, just not for the original seller.
As with many other elements of the GDPR, the key to compliance with data protection by design and default is to document your analysis and actions to satisfy the data protection principles.
If you treat data protection by design and default as a way to do a better job rather than an impediment to project launch then you and your users will be safer for it.
About the Authors
Accredited Data Protection Practitioner and solicitor, Bethany Paliga, regularly assists and advises a variety of organisations with data protection compliance. Bethany can be contacted by e-mail firstname.lastname@example.org or telephone 0333 207 4238. Dan Milnes is a Partner in the Governance, Procurement & Information team at Forbes solicitors.
Join our free-to-attend digital event, Last Thursday in Privacy, addressing data protection, privacy and security challenges including working from home, COVID-19, global regulations and more. Visit https://digital.privsec.info/.
We have been awarded the number 1 GDPR Blog in 2019 by Feedspot.