‘Privacy by Design’ and ‘Privacy by Default’ are not new concepts. The right to privacy is a fundamental aspect of the European Convention on Human Rights and is already at the heart of all ethical organisations. However, the GDPR is the first European data protection legislation to explicitly recognise these rules.
“Organisations must design policies, procedures and information systems that make the protection of data subjects’ privacy central to their company ethos.”
Under the GDPR, organisations are legally required to embed data subjects’ privacy rights into every aspect of their business operations. Through a ‘privacy policy’ data subjects must be made fully aware of their privacy rights and how to complain if they believe their data is being misused. Organisations must design policies, procedures and information systems that make the protection of data subjects’ privacy central to their company ethos.
Organisations must consider privacy at the initial stages and throughout the development of a new product, process or service that involves processing personal data. The embedding of data privacy features into the design of projects can have the following benefits:
“Under the GDPR organisations can only process personal data that is necessary for their intended purpose and must not store it longer than is necessary for this purpose.”
‘Privacy by default’ means that organisations must implement technical and organisational measures that, by default, ensure only personal data that is necessary for a specific purpose is processed. Minimising the amount of data collected reduces the risk of privacy breaches. Under the GDPR organisations can only process personal data that is necessary for their intended purpose and must not store it longer than is necessary for this purpose.
In addition, when an IT system includes choices for the data subject on how much personal data they share and with whom, the default settings should be privacy friendly.
“…organisations need to consider the nature, scope, purposes and context of their data processing.”
When deciding what technical and organisational measures make the best investment, organisations need to consider the nature, scope, purposes and context of their data processing. They need to weigh up the risks to individuals’ rights and freedoms should a data breach occur and consider how personal data can be pseudonymised. As well as this, thought must be given to the ways in which systems meet other GDPR requirements. For instance, can:
“PIAs help organisations to identify, assess and minimise privacy risks when processing data.”
PIAs are an integral part of taking a ‘privacy by design’ approach. They help organisations to identify, assess and minimise privacy risks when processing data. Carrying out a PIA helps an organisation to comply with the ‘accountability’ principle of the GDPR.
“PIA’s must be conducted where data processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’.”
The GDPR states that PIA’s must be conducted where data processing ‘is likely to result in a high risk to the rights and freedoms of natural persons’. The GDPR identifies specific high-risk activities in Article 35:
The best time to conduct a PIA is at the very start of a project, so that its findings can be incorporated into the design of the processing operation.
“…specialists can customise PIAs to suit your organisation’s needs.”
IT specialists and consultants can support you in meeting the GDPR’s ‘privacy by design’ and ‘privacy by default’ requirements as well as in conducting PIAs. For example, by using software assisted processes specialists can customise PIAs to suit your organisation’s needs. Benefits might include:
By making ‘Privacy by Design’ and ‘Privacy by Default’ mandatory, the GDPR gives greater privacy protection to data subjects. By meeting legal obligations, organisations build trust in their clients – and that’s fundamental to business success!
0333 939 87 97
