The GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.
In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.
This concept is not new. Previously known as ‘privacy by design’, it has always been part of data protection law. The key change with the GDPR is that it is now a legal requirement.
Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the GDPR’s fundamental principles and requirements, and forms part of the focus on accountability.
How to approach privacy by design
In practical terms, privacy by design should be considered as early as possible in the product/service lifestyle, often this will be at the same time that a data protection impact assessment (DPIA) is conducted by the organisation, enabling it to identify and assess the data privacy risks and challenges associated with the product, service or project, and how these can be best managed.
The types of items that will be considered in a DPIA are: types and quantities of data collected, data flows and disclosures, data minimisation technologies and security. Following the DPIA, technical and other measures should be implemented so as to minimise any data privacy issues identified.
The benefit of building privacy by design at an early stage into your products, services and projects, is that this will assist in alleviating data protection concerns that might otherwise arise at a later stage.
How to approach privacy by default
The GDPR requires that user settings should have the most privacy friendly setting as the default setting. Under the GDPR, organisations are required to implement appropriate measures both on an organisational and technical level so that, by default, only personal data which are necessary for each specific purpose of the processing are processed. For this reason, there is a greater emphasis on employing data minimisation techniques such as pseudonymisation so that only the minimum amount of data required is collected and processed. As such, organisations should assess the amount and extent of personal data collected and processed, and also how long it is stored and who can access it.
Similarly to privacy by design, privacy by default should be integrated into your projects, services and products from the very outset. In this regard, it is important to carry out a DPIA in order to measure their compliance with privacy by default.
Obligations on public authorities
The GDPR is an EU Regulation and generally Regulations do not require further national implementing legislation, as they are intended to harmonise the law across the EU. The GDPR is different in this regard. The GDPR gives Member States a margin of discretion in certain areas that it covers and therefore will not fully harmonise EU data protection laws. For this reason, a new Data Protection Bill 2017 is currently being drafted in Ireland to provide for certain derogations from the GDPR and to also ensure that Ireland has fully implemented the provisions of the GDPR. So far, a General Scheme has been published which sets out various provisions that may be included in the new Data Protection Bill 2017.
The General Scheme specifically mentions that public authorities and other entities charged with preventing investigating, detecting or prosecuting criminal offences (e.g. An Garda Síochána) or imposing criminal penalties, including safeguarding against and preventing threats to public security will be required to abide by the principles of privacy by design and by default.
Factors to take into account in the implementation of privacy by design and by default
The GDPR has set out a number of factors for organisations to take into account when implementing privacy by design and by default:
- the state of the art and technological development.
- the cost of implementing privacy by design and by default.
- the nature of the data concerned.
- the scope, context and purposes of processing such data.
- the risks to an individual’s privacy and the likelihood (and severity) of such arising from the processing of their personal data.
The factors to be taken into account in each case will vary and the assessment of such will depend on, among other things, the nature of the product, project or service for example.
The GDPR also notes that compliance with the concepts of privacy by design and by default can be demonstrated by following an approved certification mechanism. To date, we are not aware of any approved certifications to demonstrate GDPR compliance, but this may change. In the meantime, it is important to document the steps taken to embed privacy by design and by default into your products, processes, projects and services for example.