18# Data Protection by Design and by Default

Hello, I hope you had a great weekend. This Tuesday, I am talking about two specific concepts about converting the data protection principles into your daily operations – the requirement of data protection by design and by default (DPbDD).

It makes you, the controller, accountable for implementing appropriate technical and organisational measures to implement the data protection principles. This post will first describe the by design part, and then the by default part. It is of critical importance to take both the by design and by default parts into account from the earliest possible stages of each project or product development to ensure that the data protection principles are accounted for.

By Design

You are supposed to ensure appropriate and effective data protection when designing and implementing new systems, services, products, and business practices. It should be considered during developing, designing, selecting, or using applications, services, and products.

It should be reflected internally in your policies, processes, business practices, or other strategies that have privacy implications. In that way, it lowers the risk of forgetting to take it into account early on.

When deciding on the “by design” measures, these are some factors that you could consider:

• The state of the art
  • Take the current progress in technology that is available in the market into account. This is a dynamic concept, meaning that what was once determined as the state of the art might no longer be appropriate and effective in the future. In helping you determine the state of the art at a given time, you could use recognized frameworks, standards, certifications, etc. You should have adequate organisational measures in place to support the effectiveness of any chosen technology.
• The cost of implementation of chosen measures.
  • Consider resources like time and money. It mainly means that you are not required to use a disproportionate amount of resources if there is less resource-demanding but effective measures that you could use. You can only consider the cost of implementation when implementing, and not as a reason for not implementing anything at all.
• The nature, scope, context, and purpose(s) of the processing, i.e., the inherent characteristics of the processing, the size and range of the processing, and the circumstances which may influence the expectations of the data subject.
• The risks that the processing poses to the rights and freedoms of individuals.

By Default

The “by default” part of DPbDD means that you should implement the principles of data minimisation and purpose limitation in your processing operations. That means configuring the processing in such a way that you control the amount of personal data collected, the extent of their processing, the storage period, and their accessibility. It is to ensure that you initially only process the data necessary to achieve your specific purpose. It requires you to adopt a privacy-first approach with any default settings in systems, applications, services, etc.

The amount of data means all dimensions of data, i.e., data volume, types, categories, level of detail, etc. The default setting shall not contain the collection of personal data that is not necessary for the specific processing purpose.

Storage periods mean that the default is deletion or anonymisation after the purpose is fulfilled. If you go for anonymous storage, you are still obligated to reassess the risks, including the risk of re-identification.

By default, accessibility to the personal data should be limited to those people necessary for processing and not be available to an unlimited number of people.

According to the ICO, DPbDD is based on “the seven foundational principles of privacy by design” by as developed by the Information and Privacy Commissioner of Ontario (please visit their websites to learn more about the bullet list):

1. Proactive not Reactive — Preventative not remedial
2. Privacy as the Default Setting
3. Privacy Embedded into Design
4. Full Functionality — Positive sum, not zero-sum
5. End-to-End Security — Full lifecycle protection
6. Visibility and Transparency — Keep it open
7. Respect for User Privacy — Keep it user-centric

DPOrganizer’s Professional Services Team can help you with DPbDD when initiating a project or developing a product and assess how you have implemented the GDPR’s principles in your processing operations.

In summary, DPbDD is about implementing measures to ensure compliance with the data protection principles in the regulations. It should be thought of at an early stage before processing takes place. For some deeper knowledge, there is a great guideline from EDPB on the topic that was used for this post.

Do not hesitate to reach out to me by mail on albin.thelin@nulldporganizer.com, the Professional Services Team, or one of your privacy peers in the community Watercooler if you have any questions. See you later!