If your organisation is subject to the GDPR (General Data Protection Regulation), you’re probably aware of your requirement to “implement appropriate technical and organisational measures” to protect the personal data you hold.
An essential principle of this is data protection by design and by default. This essentially means that you must consider privacy and information security risks at the outset of all projects that involve personal data.
Data protection by design and by default has been recommended good practice since long before the GDPR took effect, having previously been referred to as privacy by design. However, now that it’s a legal requirement, the rules surrounding it are both clearer and stricter.
In this blog, we explain how data protection by design and by default works, and provide examples of the steps you should take to achieve it.
What is data protection by design?
To explain how the approach works, we must first break it into its two component parts. The first is data protection by design, which ensures that organisations address information security and privacy in the planning stage of any system, service, product or process that uses personal data.
With cyber attacks on the rise, a growing public interest in data privacy and the strengthened penalties introduced by the GDPR, it makes sense to prioritise information security. If you don’t, you’ll be left trying to tack security controls onto existing set-ups. This could lead to improperly implemented controls that expose vulnerabilities, and expensive restructuring projects.
Examples of data protection by design
An organisation that adopts data protection by design will:
- Conduct a DPIA (data protection impact assessment) when considering a new system, service, product or process that involves personal information;
- Implement technologies, processes and policies to mitigate the risks that are discovered in the DPIA;
- Write privacy notices and data protection policies in simple, easy-to-understand language; and
- Provide data subjects with the name and contact information of its DPO (data protection officer) or, if it hasn’t appointed one, the person responsible for data protection.
This is by no means an exhaustive list. Data protection by design is less a set of requirements as it is a general approach to GDPR compliance. It urges organisations to look for ways to anticipate data protection and privacy issues, and prevent them.
What is data protection by default?
Data protection by default ensures that organisations conduct data processing activities only if they are necessary to achieve a specific goal. As such, it links to the GDPR’s principles of data minimisation and purpose limitation.
One way to achieve this is to give data subjects the strongest possible privacy settings by default – hence the name. This helps prevent data being collected excessively, and gives the data subject the option to consent to more extensive data practices if they want to use other services.
Examples of data protection by default
What data protection by default looks like will vary based on the type of data processing the organisation is conducting.
Here’s an example: an organisation introduces a voice recognition system to verify users. The technology is beneficial to both customers and the organisation, as it reduces waiting times and doesn’t require the customer to have a password or other authentication details to hand.
But to use the system, the organisation must collect a recording of customers’ voices, which is considered biometric (and therefore sensitive) personal data under the GDPR.
Because the organisation has an alternative, less invasive way of completing the verification process, it cannot make voice recognition the default option. Instead, it must inform customers that it is an option and explain how they can consent to the practice.
Similar issues can be seen in any other data processing activity that isn’t essential to the service being provided.
For example, social media can do lots of different things with your personal data, but many of them are non-essential for their primary service. The sites must therefore turn those options off automatically, and give users the choice to activate them.
Other ways you can achieve data protection by default include:
- Avoiding misleading choices; you can’t ask users to provide their consent if you are going to process their data anyway using another lawful basis;
- Ensuring that personal data isn’t automatically made publicly available to others unless the data subject consents; and
- Giving individuals a simple, easy-to-access method for adjusting their privacy settings and exercising their data subject rights.
Are there templates for adopting data protection by design and by default?
The complexity of the GDPR has led to many organisations seeking templates that they can use to fulfil their obligations. Although this can be an effective solution when it comes to documenting GDPR compliance, it’s not advisable when it comes to data protection by design and by default.
After all, the premise of this method is that organisations address specific issues concerning the way they operate.
That’s not to say you have to tackle the process alone. Our GDPR compliance solutions provide in-depth guidance to help you address whatever challenges you’re facing.
Whether you have limited resources and are unsure how to approach GDPR compliance or are looking for a boost to meet some of the more complex requirements, we have the tools to help.
Our By Design and By Default solution includes a customisable range of training courses and software to help you achieve demonstrable compliance.
It’s designed for organisations that have begun their GDPR compliance project but need more advanced knowledge to complete it.