Privacy by design is a voluntary approach to projects that promotes privacy and data protection compliance, and helps you comply with the Data Protection Act 1998 (DPA).
The Information Commissioner’s Office (ICO) encourages organisations to seriously consider privacy and data protection throughout a project lifecycle, including when:
- Building new IT systems to store or access personal data;
- Needing to comply to regulatory or contractual requirements;
- Developing internal policies or strategies with privacy implications;
- Collaborating with an external party that involves data sharing; or
- Existing data is used for new purposes.
Privacy by design and the GDPR
The GDPR (General Data Protection Regulation) superseded the DPA on 25 May 2018. Article 25 of the GDPR, “[d]ata protection by design and default”, requires you to “implement appropriate technical and organisational measures” throughout your data processing project. As such, data must be considered at the design stage of any project, during which you must process and store as little data as possible, for as short a time as possible.
Under the GDPR, you are required to document your data processing activities. One way to do this is to map your organisation’s data flows. This method also enables you to assess the risks in your data processing activities and identify where controls are required, for example, assessing privacy and data security risks.
Organisations need to be aware of the personal data that they are processing, and that this data is being processed in compliance with the law. Organisations can often process significantly more data than they realise, so it is vital that they perform mapping exercises to keep track of them all.
Data flow mapping may seem daunting, but you can simplify the process with the Data Flow Mapping Tool.
The tool gives you a thorough understanding of what personal data your organisation processes and why, where it is held and how it is transferred.
Our free green paper ‘Conducting a data flow mapping exercise under the GDPR’ will help you understand how to effectively map your data in compliance with the GDPR.