The European Union’s General Data Protection Regulation, or GDPR, requires that data protection considerations be integrated into every aspect of data processing activities. This approach is data protection by design and data protection by default. It is considered a key element of a risk-based approach and it focuses on accountability (i.e., the ability to demonstrate how an organisation is complying with the requirements).
Just like investing in GRC software, adopting a privacy by design approach is considered good practice. Often, if this is the case for you, it is likely that you are well-placed to meet the requirements of data protection, both by design and by default. However, you might still also need to examine and review your procedures and processes to make sure you are meeting your obligations.
Data Protection By Design
Data protection officers (DPOs) and those who are handling personal data may need to have credentials like a PDPA certification to gain a better understanding of the Personal Data Protection Act and how they can implement data processes and policies for their organisations. In the same manner, you need to have appropriate organisational and technical measures to implement data protection principles more effectively.
In essence, data protection by design is an approach that ensures you take into consideration privacy and data protection issues at the design phase of any service, product, process, or system, and then throughout the data life cycle. Data protection by design requires you to:
- Have in place the appropriate technical and organisational measures designed to effectively implement the data protection principles
- Integrate safeguards into your processing so you can protect individual rights and meet the GDPR requirements
Basically, this means that you have to bake in or integrate data protection into your business practices and processing activities. Data protection has a broad application. For example:
- It involves the development of services, products, processes, and IT systems that focus on the processing of personal data.
- It involves the development of organisational processes, business practices and strategies, and policies that have privacy implications.
- It involves embarking on data-sharing initiatives or using personal data for new purposes.
This might not be common knowledge but the underlying concepts of data protection by design are not new. Under the term “privacy by design” they have existed for several years already.
Data Protection by Default
Data protection by default requires that only data that is necessary to achieve a specific purpose is processed. This links to the fundamental data protection principles of purpose limitation and data minimisation.
Data protection by default also means you need to specify data before processing starts. You also need to process data you need for your purpose and inform individuals involved appropriately.
However, it does not require that you adopt a “default to off” solution. What you need to do will depend on the circumstances of your processing and the risks posed to individuals. Nevertheless, there are some key things you need to consider such as:
- Adopting a “privacy-first” approach with any default applications and systems
- Ensuring you do not give an illusory choice to individuals that’s related to the data you will be processing
- Not processing additional data unless the concerned individual decides you can
- Ensuring that personal data is not automatically made available publicly to others unless the individuals decide to make it so
- Providing individuals with sufficient options and controls to exercise their rights
Data protection by design and by default also impacts organisations other than the processors and controllers. Depending on the processing activities, other parties may be involved even if it is just where a product or service used in the processing is purchased. Examples include product developers, application developers, manufacturers and service providers.