Why Has the GDPR Introduced ‘Privacy by Design’ and ‘Privacy by Default’?

‘Privacy by Design’ and ‘Privacy by Default’ are not new concepts.  The right to privacy is a fundamental aspect of the European Convention on Human Rights and is already at the heart of all ethical organisations.  However, the GDPR is the first European data protection legislation to explicitly recognise these rules.

What is ‘privacy by design’?

“Organisations must design policies, procedures and information systems that make the protection of data subjects’ privacy central to their company ethos.”

Under the GDPR, organisations are legally required to embed data subjects’ privacy rights into every aspect of their business operations.  Through a ‘privacy policy’ data subjects must be made fully aware of their privacy rights and how to complain if they believe their data is being misused. Organisations must design policies, procedures and information systems that make the protection of data subjects’ privacy central to their company ethos.

Organisations must consider privacy at the initial stages and throughout the development of a new product, process or service that involves processing personal data.   The embedding of data privacy features into the design of projects can have the following benefits:

  • potential problems are identified at an early stage making them less costly and easier to resolve
  • increased awareness of privacy and data protection across the organization means less likelihood of breaching the GDPR
  • the organisations’ actions are less likely to be intrusive and have a negative impact on data subjects

What is ‘privacy by default’?

“Under the GDPR organisations can only process personal data that is necessary for their intended purpose and must not store it longer than is necessary for this purpose.”

‘Privacy by default’ means that organisations must implement technical and organisational measures that, by default, ensure only personal data that is necessary for a specific purpose is processed.  Minimising the amount of data collected reduces the risk of privacy breaches.  Under the GDPR organisations can only process personal data that is necessary for their intended purpose and must not store it longer than is necessary for this purpose.

In addition, when an IT system includes choices for the data subject on how much personal data they share and with whom, the default settings should be privacy friendly.

What technical and organisational measures should be taken to protect privacy?

“…organisations need to consider the nature, scope, purposes and context of their data processing.”

When deciding what technical and organisational measures make the best investment, organisations need to consider the nature, scope, purposes and context of their data processing.  They need to weigh up the risks to individuals’ rights and freedoms should a data breach occur and consider how personal data can be pseudonymised.  As well as this, thought must be given to the ways in which systems meet other GDPR requirements.  For instance, can:

  • personal data be collated with ease in order to comply with subject access requests?
  • data be suppressed when customers have opted out of direct marketing communications?
  • the data controller satisfy the GDPR data portability requirements?

What steps can your organisation take to meet the GDPR’s ‘privacy by design’ and ‘privacy by default’ rules?

  1. Put in place an automated deletion process for particular personal data with a system that flags up when data should be deleted.
  2. Make sure excessive data isn’t collected by revising data collection forms.
  3. Revise contracts between yourself and the data processors you work with so that everybody understands how liability will be apportioned should a privacy breach occur.
  4. Design a Privacy Impact Assessment (PIA) template that can be used every time the organisation implements a new system.

What is a Privacy Impact Assessment (PIA)?

“PIAs help organisations to identify, assess and minimise privacy risks when processing data.”

PIAs are an integral part of taking a ‘privacy by design’ approach.  They help organisations to identify, assess and minimise privacy risks when processing data.  Carrying out a PIA helps an organisation to comply with the ‘accountability’ principle of the GDPR.

When should a PIA be conducted?

“PIA’s must be conducted where data processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’.”

The GDPR states that PIA’s must be conducted where data processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’.  The GDPR identifies specific high-risk activities in Article 35:

  • ‘A systematic and extensive evaluation of personal aspects relating to natural persons, which is based on automated processing, including profiling, and on which decisions are based that produce legal effects concerning the natural person or similarly significantly affect the natural person.’
  • ‘Processing on a large scale of special categories of data or of personal data relating to criminal convictions and offences.’
  • ‘Systematic monitoring of a publicly accessible area on a large scale’.

The best time to conduct a PIA is at the very start of a project, so that its findings can be incorporated into the design of the processing operation.

Does your organisation need advice to meet GDPR requirements?

“…specialists can customise PIAs to suit your organisation’s needs.”

IT specialists and consultants can support you in meeting the GDPR’s ‘privacy by design’ and ‘privacy by default’ requirements as well as in conducting PIAs.  For example, by using software assisted processes specialists can customise PIAs to suit your organisation’s needs.  Benefits might include:

  • highly efficient PIA processes supported by specialist software
  • customised, automised reports which give a clear overview of processes, risks and progress
  • real-time track records of the actions taken to minimise risks
  • evidence of the accountability required by the GDPR.
  • baseline criteria to benchmark operations from an employee or client perspective.

What’s not to like?

By making ‘Privacy by Design’ and ‘Privacy by Default’ mandatory, the GDPR gives greater privacy protection to data subjects.  By meeting legal obligations, organisations build trust in their clients – and that’s fundamental to business success!

Is your organisation GDPR ready? Visit www.ndcmanagement.co.uk/GDPR-support to find out how NDC Global Auditors can help you prepare.

ISO 50001 audit tool

Share On: