When the EU General Data Protection Regulation (GDPR) comes into play in just a few month’s time, one of many new compliance obligations will be ‘Privacy by Design and Default’.
To satisfy this new requirement, controllers must be able to demonstrate that data protection and privacy principles have been considered at the design phase of any project involving personal data.
This post provides a high-level summary of Privacy by Design to help you with your GDPR preparations.
What key obligations does Privacy by Design introduce?
The legislation directly related to Privacy by Design is detailed in Article 25 and Recital 78 of the GDPR and there are three key concepts to focus compliance efforts around.
- Data Protection Impact Assessments (DPIA)
- Appropriate technical and organisational measures
Privacy by Design accountability has been a key principle of data protection best practice for some time, although it has been introduced into EU-wide law for the first time as part of the GDPR. The new accountability obligation means that the data controller now has an obligation to actively demonstrate compliance at all times. Depending on the maturity of existing data privacy programmes, this will present a bigger challenge to some organisations than it will to others.
At the very minimum, this new requirement will force organisations to formalise data protection and privacy programs with codified policies, measures and controls to ensure compliance can be actively demonstrated.
The implementation of appropriate data privacy and protection measures is also a key element of accountability compliance and organisations should start preparing for the new accountability obligations by reviewing existing documentation practices.
An audit trail allowing the organisation to demonstrate it’s governance processes and accountability for the consideration of data privacy at various steps in the solution delivery lifecycle will also be important. Evidencing that the necessary approvals and governance has been applied where appropriate is also a mandatory compliance requirement.
2. Data Protection Impact Assessments (DPIA)
Data Protection Impact Assessments (DPIA) are cited in the GDPR as integral to achieving Privacy by Design compliance and a fomal DPIA is mandatory where processing is either large scale or likely to result in a high risk to the freedoms and rights of individuals.
DPIAs can will help in assessing the likely impact of a project on data privacy, enabling an organisation to detect issues at an early stage and saving projects from both costly fixes and potential reputational damage.
Based on information provided in Article 35 of the GDPR, an acceptable DPIA is expected to include:
- A systematic description of the envisaged processing operations and their purpose
- An assessment of the necessity and proportionality of the processing;
- An assessment of the risks to the rights and freedoms of data subjects;
- The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data
While a DPIA is only mandatory in certain high-risk circumstances, it is worthwhile considering some form of Privacy Impact Assessmentg at the planning stage of all new projects.
3. Appropriate Technical and Organisational Measures
Finally, the Privacy by Default element of Privacy by Design focuses on the principle that the controller is required to take ‘appropriate technical and organisational measures’ to ensure that they process the minimum number of individuals’ personal data as necessary.
Although a new principle once again, there are some familiar data privacy terms here to draw upon. The definition of processing remains unchanged from previous data privacy legislation. It covers not only the amount of personal data collected at the outset, but also the extent of processing, how long it is kept for and its accessibility throughout the data’s entire lifecycle.
Thankfully, the definition of personal data has not changed dramatically from existing data privacy law, so it should already be covered by existing policies. The only potential extension to address is the new inclusion of location data and online identifiers, which may bring cookies and IP addresses into scope.
In order to fulfil the GDPR’s Privacy by Design requirement, you will need to make the shift from a reactive stance to a proactive state, embedding and evidencing preventative measures across your systems landscape for the entire lifecycle of personal data. This will mean fully committing to data privacy and protection and making it an integral aspect of project design and company-wide culture.
But you should not be daunted by the GDPR’s Privacy by Design requirement. Although the incoming legislation may be driving these changes, they will ultimately lead to more efficient, secure, resilient and transparent systems. This will boost not only your operational robustness but also your reputation amongst increasingly privacy-focused customers and employees.
It is likely that you will already be addressing at least some elements as part of your existing risk management and compliance activities. The important thing about GDPR is that you now need to ensure these that your organisation not only says it takes data privacy and data protection seriously, you need to prove it.