Data protection by design and default is nothing new. Essentially, its the GDPR’s version of ‘privacy by design’.
But while privacy by design was good practice under the Data Protection Act 1998, data protection by design and by default are legal requirements under the GDPR.
In this blog, we explain how data protection by design and by default works, and outline the steps you should take to achieve it.
What is data protection by design?
Data protection by design is ultimately an approach that ensures you ‘bake in’ privacy and data protection into your processing activities and business practices.
To implement data protection by design, the GDPR says that you must:
1) Put in place appropriate technical and organisational measures designed to implement the data protection principles; and
2) Integrate safeguards into your processing so that you meet the GDPR’s requirements and protect the individual rights.
Examples of data protection by design
An organisation that adopts data protection by design will:
- Conduct a DPIA (data protection impact assessment) when considering a new system, service, product or process that involves personal information;
- Implement technologies, processes and policies to mitigate the risks that are discovered in the DPIA;
- Write privacy notices and data protection policies in simple, easy-to-understand language; and
- Provide data subjects with the name and contact information of its DPO (data protection officer) or, if it hasn’t appointed one, the person responsible for data protection.
This is by no means an exhaustive list. Data protection by design is less a set of requirements as it is a general approach to GDPR compliance.
It urges organisations to look for ways to anticipate data protection and privacy issues, and prevent them.
What is data protection by default?
Data protection by default requires you to ensure that you only conduct data processing activities if they are necessary to achieve a specific goal.
It links to the GDPR’s principles of data minimisation and purpose limitation.
To comply with data protection by default, you must consider:
- Assuming a ‘privacy-first’ stance with any default settings of systems and applications;
- Ensuring you don’t provide the illusion of choice to individuals relating to the data you will process;
- Refraining from processing additional data unless the individual provides their consent;
- Ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
- Providing individuals with enough controls and options to exercise their rights.
Examples of data protection by default
What data protection by default looks like will vary based on the type of data processing the organisation is conducting.
Here’s an example: an organisation introduces a voice recognition system to verify users.
The technology is beneficial to both customers and the organisation, as it reduces waiting times and doesn’t require the customer to have a password or other authentication details to hand.
But to use the system, the organisation must collect a recording of customers’ voices, which is considered biometric (and therefore sensitive) personal data under the GDPR.
Because the organisation has an alternative, less invasive way of completing the verification process, it cannot make voice recognition the default option.
Instead, it must inform customers that it is an option and explain how they can consent to the practice.
Similar issues can be seen in any other data processing activity that isn’t essential to the service being provided.
For example, social media can do lots of different things with your personal data, but many of them are non-essential for their primary service.
The sites must therefore turn those options off automatically, and give users the choice to activate them.
Other ways you can achieve data protection by default include:
- Avoiding misleading choices; you can’t ask users to provide their consent if you are going to process their data anyway using another lawful basis;
- Ensuring that personal data isn’t automatically made publicly available to others unless the data subject consents; and
- Giving individuals a simple, easy-to-access method for adjusting their privacy settings and exercising their data subject rights.
Easily adopt data protection by design and default
The complexity of the GDPR has led to many organisations seeking templates that they can use to fulfil their obligations.
Although this can be an effective solution when it comes to documenting GDPR compliance, it’s not advisable when it comes to data protection by design and by default.
After all, the premise of this method is that organisations address specific issues concerning the way they operate.
That’s not to say you have to tackle the process alone. Our GDPR compliance solutions provide in-depth guidance to help you address whatever challenges you’re facing.
Whether you have limited resources and are unsure how to approach GDPR compliance or are looking for a boost to meet some of the more complex requirements, we have the tools to help.
Our By Design and By Default solution includes a customisable range of training courses and software to help you achieve demonstrable compliance.
It’s designed for organisations that have begun their GDPR compliance project but need more advanced knowledge to complete it.
A version of this blog was originally published on 13 Jun 2019.