Written by Stephen Ragan, Principal Privacy Consultant at Wrangu
Data Protection by Design and by Default: The Requirements of GDPR
Often in the privacy and data protection world we talk about managing the data lifecycle from the point of generation all the way until the data is deleted. Thinking like this is not entirely correct. The General Data Protection Regulation (GDPR) imposes principles of data protection by design and by default that requires examining and implementing technical safeguards and organisational measures at the time of designing and developing products, services, and applications before any data is collected at all.
Data Protection by Design has a long history first introduced in the 1970s and incorporated in the European Data Protection Directive in the 1990s. According to recital 46 of that early Directive, technical and organisational measures (TOMs) were suggested to be considered during the planning stage of implementing a processing system for purposes of data protection. “Privacy by Design” means “data protection through technology design” and is included as part of the current GDPR under Article 25. This Article creates the requirement that controllers implement appropriate technical and organisational measures (TOMs) and necessary safeguards to protect the rights and freedoms of data subjects. To ensure effective data protection, controllers must be able to demonstrate the effectiveness of these implemented measures. Timing is what is most at issue. Data protection by design must be implemented at the time the means of processing data is determined as well as at the time of the processing itself.
To do this, Article 25 requires organisations consider the state of the art of the technology, the cost of implementation and the nature, scope, context, and purpose of the processing as well as including a risk analysis of the likely harms to the rights and freedoms of individuals. The criteria “state of the art” requires controllers stay up to date on technological progress. The “cost of implementation” requires controllers consider the cost and resources required for effective implementation and continued maintenance of the data protection principles. Data protection by default means that personal data is limited to what is strictly necessary for specific purposes. This default setting should prioritize the privacy of personal information without the data subject having to do anything.
There are no specific requirements for what technical and organisational measures mean. TOMs can be anything from the use of advanced technical solutions to the basic training of personnel. Some examples include, pseudonymisation, encryption, and data anonymisation. The basic premise is that the TOMs are appropriate if they implement data protection into the processing of data. Whether they are compliant depends on the context of the processing activities in question and any risk assessments, like a Data Protection Impact Assessment (Art. 35), should consider Article 25 elements. As controllers are required to demonstrate they have implemented measures to achieve the desired effects in terms of data protection, they must determine key performance indicators to demonstrate compliance. Examples of metrics include the level of risk, evaluations of a systems performance, or the use of an expert assessment.
In the case of a risk assessment, the criteria are always the same throughout the GDPR. The assets to protect are individuals via the threat to their rights and freedoms including the likelihood and severity of harm weighed against the business interests of the data processing including measures taken to reduce risk through safeguards and TOMs. The obligation to implement Data protection by design and default extends also to data processors and a processors’ operations should be regularly reviewed and assessed to ensure they enable continued compliance.
The Seven Foundational Principles of Privacy by Design
There are seven foundational principles of privacy by design first expressed in Ann Cavoukian’s seminal article in 2006. They are:
1. Proactive not Reactive; Preventative not Remedial
This principle takes an anticipatory approach to privacy and data protection. It anticipates and aims to prevent privacy issues before they arise. This implies setting and enforcing organisational standards of privacy shared throughout an organisation that includes external stakeholders and affected communities
2. Privacy as the Default Setting
This principle emphasizes that privacy is protected even if the individual does nothing. Privacy is built into the system and includes:
- Purpose Specification
- Collection Limitation
- Data Minimisation
- Use, Retention, and Disclosure Limitation
3. Privacy Embedded into Design
Privacy is an essential component of the core functionality being delivered
4. Full Functionality – Positive-Sum, not Zero-Sum
This principle seeks to satisfy the conditions of a “win-win” avoiding the zero-sum approach of necessary trade-offs. This seeks to avoid false dichotomies like privacy v. security or privacy v. business objectives. Functionality of systems should not be impaired by emphasizing privacy but should embrace legitimate non-privacy objectives as well
5. End-to-End Security – Full Lifecycle Protection
Data is managed and secured throughout the data lifecycle and destroyed at the end of the process in a timely fashion
6. Visibility and Transparency – Keep it Open
Privacy by Design assures all stakeholders that operations are according to the stated promises and objectives through accountability building trust
7. Respect for User Privacy – Keep it User-Centric
Privacy by Design requires technologists and engineers protect the interests of the data subject by offering strong privacy default settings, providing appropriate notice, and being user-friendly
Privacy by Design Checklist
- Your organisation considers data protection issues as part of the design and implementation of products and systems and documents this process
- Your organisation anticipates risks and privacy-invasive events before they occur and takes steps to prevent harm to individuals
- Data is processed for a purpose that is clearly stated and communicated with the data subject
- Data is by default protected in your IT system, services, and products where the individual does not need to take any specific actions to protect their privacy
- Your organisation provides the contact details of those in your organisation responsible for data protection facilitating data subject access requests (DSARs)
- Individuals can see how their data is being used and whether policies are being properly enforced
- Your organisation offers strong privacy defaults, user-friendly controls, and respects user preferences
- Your organisation only uses data processors that provide sufficient guarantees of their technical and organisation measures (TOMs) for data protection by design
- When your organisation is done with the data it is deleted or deidentified
- Your organisation should create and enforce internal retentions policies and conduct tests of whether the organisation practices its policies
Learn more about implementing robust privacy and data protection services.