Previously known as ‘privacy by design’, “data protection by design and default” has always been part of the UK Data Protection Law. But the key change is with the General Data Protection Regulation (GDPR) now making it a legal requirement.
The GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This means you must integrate data protection into your processing activities and business practices right from the design stage and right through the lifecycle.
What exactly is data protection by design and by default?
Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the GDPR’s fundamental principles and requirements and forms part of the focus on accountability.
Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.
When implementing the requirement, you must consider:
- adopting a ‘privacy-first’ approach with any default settings of systems and applications;
- ensuring you do not provide an illusory choice to individuals relating to the data you will process;
- not processing additional data unless the individual decides you can;
- ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
- providing individuals with sufficient controls and options to exercise their rights.
Who is responsible for complying?
Article 25 specifies that, as the controller, you have responsibility for complying with data protection by design and by default. Depending on your circumstances, you may have different requirements for different areas within your organisation.
How do you ensure, verify and maintain it?
A checklist is a good way to help ensure you consider important elements and legal requirements. You can find the ICO checklist here. Keep in mind, to understand the checklist it is also useful to know some of the terminology and the basic structure of the law.
Verification and maintaining are equally important. Both require additional processes such as conducting DPIAs and establishing KPIs. To learn more on what is needed to ensure, verify and maintain data protection by design and default, download our webinar: How to Implement Data Protection by Design & Default.