Data protection by design and default is nothing new. But, while privacy by design was good practice under the Data Protection Act of 1998, data protection by design and by default are legal requirements of Article 25 of the GDPR.
Here’s how data protection by design and by default works. We have outlined some steps you need to take in order to achieve it.
What is data protection by design?
Data protection by design is an approach that ensures you ‘bake in’ privacy and data protection into your processing activities and business practices.
To implement data protection by design, the GDPR says that you must:
- Put in place appropriate technical and organisational measures designed to implement the data protection principles; and
- Integrate safeguards into your processing so that you meet the GDPR’s requirements and protect the individual rights.
Data protection by design
An organisation that adopts data protection by design will:
- Conduct a DPIA (data protection impact assessment) when considering a new system, service, product or process that involves personal information
- Implement technologies, processes and policies to mitigate the risks that are discovered in the DPIA
- Write privacy notices and data protection policies in simple, easy-to-understand language
- Provide data subjects with the name and contact information of its DPO (data protection officer) or responsible person for data protection.
This is not an exhaustive list. Data protection by design is not so much a set of requirements but more an attitude to GDPR compliance. It urges organisations to look for ways to anticipate data protection and privacy issues and prevent them.
What is data protection by default?
Data protection by default requires you to ensure that you only conduct data processing activities if they are necessary to achieve a specific goal.
It links to the GDPR’s principles of data minimisation and purpose limitation.
To comply with data protection by default, you must consider:
- Assuming a ‘privacy-first’ stance with any default settings of systems and applications
- Ensuring you don’t provide the illusion of choice to individuals relating to the data you will process
- Refraining from processing additional data unless the individual provides their consent
- Personal data is not automatically made publicly available to others unless the individual decides to do so
- Providing individuals with enough controls and options to exercise their rights.
Examples of data protection by default
What data protection by default looks like will vary based on the type of data processing the organisation is conducting. Here’s an example of an organisation that introduces a voice recognition system to verify users.
The technology is beneficial to both customers and the organisation, as it reduces waiting times and doesn’t require the customer to have a password or other authentication details to hand.
In order to use the system, the organisation must collect a recording of customers’ voices, which is considered biometric (and therefore sensitive) personal data under the GDPR.
If the organisation has an alternative less invasive way of completing the verification process, it must use that. Therefore, it cannot make voice recognition the default option. Instead, it must inform customers that it is an option and explain how they can consent to the practice.
Similar issues can be seen in any other data processing activity. Generally, it isn’t essential to the service being provided. For example, social media can do lots of different things with your personal data. However, many of them are non-essential for their primary service.
These sites must therefore turn those options off automatically. The user should then be offered the choice of whether they wish to use them. Instructions on how to do so should be available.
Other ways you can achieve data protection by default include:
- Avoiding misleading choices. Don’t ask users for consent if you are going to process their data anyway using another lawful basis
- Ensure that personal data isn’t automatically made publicly available to others, unless the data subject consents; and
- Giving individuals a simple, easy-to-access method for adjusting their privacy settings and exercising their data subject rights.
Easily adopt data protection by design and BY default
The complexity of the GDPR has led to many organisations seeking templates that they can use to fulfil their obligations.
This not an effective solution when it comes to documenting GDPR compliance. It is certainly not advisable when it comes to data protection by design and by default.
After all, the premise of this method is that organisations address specific issues concerning the way they operate. We don’t use templates and never will.
That’s not to say you have to tackle the process alone. Our GDPR compliance team will provide in-person help. Our in-depth guidance will help you address the challenges you’re facing.
If you have limited resources and are unsure how to approach GDPR compliance we can help. Perhaps you are looking for a boost to meet some of the more complex requirements, again, we are here to help.
Our GDPR by Design and By Default solution includes in-person training courses and advice to help you achieve demonstrable compliance. However, you may need more advanced knowledge on how to complete by design and by default please call us today on 03333 22 1011.
Call us today on 03333 22 1011 or contact us here.