What exactly is Data Protection by Design?
… just another GDPR ‘buzzword’? – or a vital organisational component?
Since the ‘official launch’ of the General Data Protection Regulation (GDPR) in May 2018, organisations across the globe have faced the task of understanding the meaning and implications of a raft of new terms.
Perhaps understandably, many of the GDPR’s associated key terms have become nothing more than buzzwords in some circles.
However, it would be a mistake to ignore a key term like ‘Data Protection by Design’, since it ensures that you consider data protection and privacy issues at the design stage of every service, product, system or process … and continues throughout the life cycle.
For the first time, GDPR addresses data protection by design as a legal obligation for data controllers and processors, making an explicit reference to data minimization and the possible use of pseudonymisation. On top of this, it introduces the obligation of data protection by default, going a step further into stipulating the protection of personal data as a default property of systems and services.
According to the ICO, Data Protection by Design requires you to:
- put in place appropriate technical and organisational measures designed to implement the data protection principles; and
- integrate safeguards into your processing so that you meet the GDPR’s requirements and protect the individual rights
In simple terms, this means that you must make data protection an integral part of your business practices and processing activities.
Here is what the GDPR Article 25 (1) specifies as the requirements for Data Protection by Design:
Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
Examples of applications for Data Protection by Design are;
- developing new IT systems, products, services and processes that involve the processing of personal data;
- developing organisational policies, processes, business practices and strategies that have privacy implications;
- physical design;
- embarking on data sharing initiatives; or
- using personal data for new purposes
The underlying concepts of Data Protection by Design are by no means new, since the term ‘privacy be design’ has actually existed for many years. Basically, Data Protection by Design includes the privacy by design approach into data protection law.
Under the 1998 Act, the ICO supported this approach because it helped organisations to comply with their data protection obligations.
Now, it is a legal requirement.