If you have any familiarity with the GDPR and data protection, you’ve probably heard the term Privacy by Design or Privacy by Default. Privacy by Design means nothing more than “data protection through technology design” or the principle of considering data protection at the design phase of a new technology or processA series of actions or steps taken in order to achieve a particular end.. Privacy by Design means that your organisation has ‘baked in’ data protection principlesA series of principles which embody the requirements of the data protection regulation. into your business practices and processing activities, throughout the entire design and lifecycle.
Privacy by Design is an important aspect in ensuring that your organisation stays compliant and that your customers’ data is kept securely. This short blog looks at what Privacy by Design means, generally speaking; what it means for your organisation; and the best ways in which you can implement Privacy by Design.
What is Privacy by Design?
Article 25 of both the UK and EU GDPRRegulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons regarding the processing of personal data and on the free movement of such data (General Data Protection Regulation). make Privacy by Design a legal requirement for those caught by the legislation. However, it is a principle that has been around far longer than the Regulation. Article 25(1) requires organisations:
“[t]aking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisationThe third GDPR principle, requiring organisations to only collect the personal data that is truly necessary to fulfill each purpose for data processing., in an effective manner and to integrate the necessary safeguardsWhen transferring personal data to a third country, organisations must put in place appropriate safeguards to ensure the protection of personal data. Organisations should ensure that data subjects' rights will be respected and that the data subject has access to redress if they don't, and that the GDPR principles will be adhered to whilst the personal data is in the... into the processing in order to meet the requirements.”.
In principle this means that organisations that process personal dataInformation which relates to an identified or identifiable natural person. must keep privacy and data protection in mind throughout the entire lifecycle of a system/project/process. This applies to:
This means that every department, especially IT, that processes data must ensure that consideration for data subjectAn individual who can be identified or is identifiable from data. privacy is inherent in everything that they do. Demonstrating that your organisation considers ‘Privacy by Design’ as a key step in complying with the AccountabilityPerhaps the most important GDPR principle, which requires controllers to take responsibility for complying with the GDPR and, document their compliance. principle of the GDPR, which is vital for overall compliance.
What is Privacy by Default?
Privacy by Default refers to the practice of applying the strictest privacy settings by default to any system/application without any input from the end users. For example, setting the minimal amount of data fields in a form to mandatory, with additional fields set as optional; or keeping personal data for the minimum amount of time required to provide the service as standard.
To meet this criterion you may wish to consider things like:
Looking at this, it is clear that Privacy by Default links to the purpose limitationThe second principle of the GDPR, requiring organisations to only process personal data for the specific purpose for which it was collected. and data minimisation principles of both the EU and UK GDPRThe UK General Data Protection Regulation. Before leaving the EU, the UK transposed the GDPR into UK law through the Data Protection Act 2018. This became the UK GDPR on 1st January 2021 when the UK formally exited the EU..
Who needs to consider Privacy by Design?
Article 25 makes it clear that the responsibility for implementing Privacy by Design and Default lies with the data controllerAn entity (such as an organisation) which determines the purposes and means of the processing of personal data.. Within a data controller’s organisation, there may be many departments responsible for ensuring Privacy by Design is in place across the whole business, not just the privacy team, for example:
Placing the responsibility for Privacy by Design at the feet of controllers means that if they are engaging with any third-party processors to undertake processing on their behalf, they must ensure that they choose processors that “implement appropriate technical and organisational measures” (as per Article 28). Therefore, demonstrating that you have undertaken the appropriate due diligence on your data processors and that your choice of processor has been influenced by their data protection compliance can also help to comply with your Privacy by Design obligations.
Achieving Privacy by Design
Your organisation must put in place appropriate and technical measures that are designed to ensure that you are implementing the data protection principles and safeguarding your data subjects’ rights. Unfortunately, there is no standardised way to achieve this, so it will very much depend on what your organisation does and the type of data you are processing. Recital 78 gives some guidance as to what this could include, such as:
The key is to take an organisational approach to ensuring that your organisation achieves certain outcomes that are often associated with data protection by design. These could be:
The most effective method of demonstrating that your organisation is taking a Privacy by Design approach, is to document your actions in a Data Protection Impact AssessmentA formal documented assessment which allows decision-makers to identify, manage and mitigate any data protection risks associated with a project. (DPIA). As a DPIA should be completed right at the beginning of a project, it clearly shows that data protection considerations have been factored from the offset.
Need help?
Whilst often overlooked, Privacy by Design is an essential requirement for compliance with the GDPR, and, even if your organisation is not caught by the UK or EU GDPR, it is a key principle that many organisations choose to follow. Despite its importance, it can be a tricky concept to understand, meet and then implement, requiring ongoing effort and documentation. At The DPO Centre, we work with a range of different organisations in a variety of sectors, including research and life sciences, education, not-for-profit, and medical and healthcare, all of which must ensure that they are considering Privacy by Design. If your organisation needs assistance or guidance, please contact us using the form below or click here.
Fill in your details below and we’ll get back to you as soon as possible