Integrated Risk Management
Through the application of technology and automation, we'll help you manage your risks efficiently and effectively across the entire enterprise.
Identity and Access Management
We'll help you ensure everybody within your organisation has access to the right systems and data, for the right reasons, and at the right time.
Cyber & Application Security
Our experts will uncover security weaknesses within your security design and business-critical applications. Helping you protect your organisation from both internal and external threats.
About us
A group of passionate individuals with a shared purpose to help the world's leading companies embrace best practices for GRC and risk management.
Turnkey's strategic partner network consists of selected organisations that complement our capabilities.
Corporate Social ResponsibilityCSR
We are committed to being agents for change through our Climate Action Plan, championing diversity in our workplaces, and more.
Get in touch
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
We have operations in all corners of the globe, so see which office is nearest to you and connect with them.
Webinars & eBooks
All of Turnkey's webinars, guides and other insights available in one place.
Read the latest insights from our experts on GRC and risk management, covering the latest industry topics.
Press Coverage
See all the publications where Turnkey, our experts and our successes have been noted.
Key events
See the key industry conferences on GRC, SAP security and risk management which we are attending.
Case Studies
Client satisfaction is of the utmost importance to us, and we strive to constantly deliver above expectations, going the extra mile at every opportunity.
We've put together a comprehensive list of frequently asked questions - along with our responses - to the most common GRC and SAP security issues.
19 January 2018

Understanding Privacy by Design to comply with the GDPR

When the EU General Data Protection Regulation (GDPR) comes into play in just a few month’s time, one of many new compliance obligations will be ‘Privacy by Design and Default’.

To satisfy this new requirement, controllers must be able to demonstrate that data protection and privacy principles have been considered at the design phase of any project involving personal data.  

This post provides a high-level summary of Privacy by Design to help you with your GDPR preparations.


What key obligations does Privacy by Design introduce?

The legislation directly related to Privacy by Design is detailed in Article 25 and Recital 78 of the GDPR and there are three key concepts to focus compliance efforts around.

  • Accountability
  • Data Protection Impact Assessments (DPIA)
  • Appropriate technical and organisational measures


1. Accountability

Privacy by Design accountability has been a key principle of data protection best practice for some time, although it has been introduced into EU-wide law for the first time as part of the GDPR. The new accountability obligation means that the data controller now has an obligation to actively demonstrate compliance at all times. Depending on the maturity of existing data privacy programmes, this will present a bigger challenge to some organisations than it will to others.

At the very minimum, this new requirement will force organisations to formalise data protection and privacy programs with codified policies, measures and controls to ensure compliance can be actively demonstrated.

The implementation of appropriate data privacy and protection measures is also a key element of accountability compliance and organisations should start preparing for the new accountability obligations by reviewing existing documentation practices.

An audit trail allowing the organisation to demonstrate it’s governance processes and accountability for the consideration of data privacy at various steps in the solution delivery lifecycle will also be important. Evidencing that the necessary approvals and governance has been applied where appropriate is also a mandatory compliance requirement.


2. Data Protection Impact Assessments (DPIA)

Data Protection Impact Assessments (DPIA) are cited in the GDPR as integral to achieving Privacy by Design compliance and a fomal DPIA is mandatory where processing is either large scale or likely to result in a high risk to the freedoms and rights of individuals.

DPIAs can will help in assessing the likely impact of a project on data privacy, enabling an organisation to detect issues at an early stage and saving projects from both costly fixes and potential reputational damage.

Based on information provided in Article 35 of the GDPR, an acceptable DPIA is expected to include:

  • A systematic description of the envisaged processing operations and their purpose
  • An assessment of the necessity and proportionality of the processing;
  • An assessment of the risks to the rights and freedoms of data subjects;
  • The measures envisaged to address the risks, including safeguards, security measures and mechanisms to ensure the protection of personal data

While a DPIA is only mandatory in certain high-risk circumstances, it is worthwhile considering some form of Privacy Impact Assessmentg at the planning stage of all new projects.


3. Appropriate Technical and Organisational Measures

Finally, the Privacy by Default element of Privacy by Design focuses on the principle that the controller is required to take ‘appropriate technical and organisational measures to ensure that they process the minimum number of individuals’ personal data as necessary.

Although a new principle once again, there are some familiar data privacy terms here to draw upon. The definition of processing remains unchanged from previous data privacy legislation. It covers not only the amount of personal data collected at the outset, but also the extent of processing, how long it is kept for and its accessibility throughout the data’s entire lifecycle.

Thankfully, the definition of personal data has not changed dramatically from existing data privacy law, so it should already be covered by existing policies. The only potential extension to address is the new inclusion of location data and online identifiers, which may bring cookies and IP addresses into scope.


In Summary

In order to fulfil the GDPR’s Privacy by Design requirement, you will need to make the shift from a reactive stance to a proactive state, embedding and evidencing preventative measures across your systems landscape for the entire lifecycle of personal data. This will mean fully committing to data privacy and protection and making it an integral aspect of project design and company-wide culture.

But you should not be daunted by the GDPR’s Privacy by Design requirement. Although the incoming legislation may be driving these changes, they will ultimately lead to more efficient, secure, resilient and transparent systems. This will boost not only your operational robustness but also your reputation amongst increasingly privacy-focused customers and employees.

It is likely that you will already be addressing at least some elements as part of your existing risk management and compliance activities. The important thing about GDPR is that you now need to ensure these that your organisation not only says it takes data privacy and data protection seriously, you need to prove it.