Data Protection by Design as an obligation imposed on organisations is one of the GDPR’s innovations. The concept isn’t new; Most privacy professionals have heard about Privacy by Design, which is similar but a bit broader concept. In this blog, we’ll explain what data protection by design is and how your business can benefit from it.
Data Protection by Design and Privacy by Design
Data Protection by Design is essentially the GDPR’s version of privacy by design, a concept developed by the Information and Privacy Commissioner of Ontario, Ann Cavoukian back in the ‘90s. This concept is expressed by the following 7 principles in order to safeguard individuals’ right to privacy:
Proactive not reactive; preventative not remedial
Privacy as the default setting
Privacy embedded into design
Full functionality – positive-sum, not zero-sum
End-to-end security – full lifecycle protection
Visibility and transparency – keep it open
Respect for user privacy – keep it user-centric
Although Privacy by Design and Data Protection by Design are separate concepts, the Privacy by Design principles can support your GDPR compliance program.
What does it mean in practice?
Data Protection by Design in Article 25 of the GDPR calls organisations to put in place appropriate technical and organisational measures to implement the data protection principles (such as data minimisation) and to safeguard individuals’ rights. This is now a legal requirement and its violation can lead to fines of up to €10 million or 2% of the organisation’s annual turnover. In October 2019, the supervisory authority of Berlin issued a €14.5 million fine against the real estate company Deutsche Wohnen SE for violating the Data Protection by Design principle as well as for storing tenants’ personal data without a legal basis.
The important part is that you will need to implement those measures both at the design phase of a new product, service or system as well as during the whole lifecycle of the processing activity. That means that it is not a one time exercise but an ongoing process, which can help ensure that you comply with the GDPR’s fundamental principles and requirements.
It’s true that the principle is broad and many privacy professionals struggle to understand how to put theory into practice. Generally, the principle obliges you to think about data protection upfront, before you start the processing and to embed it into your processing activities. In that sense, it is a means to ensure that the rest of the GDPR principles are respected.
What to consider when applying Data Protection by Design
GDPR doesn’t provide specific guidelines on how to apply Data Protection by Design in practice or a specific requirement that you need to comply with. This derives from the risk-based approach that GDPR has adopted. You need to assess which are the appropriate measures to a) ensure that the GDPR principles are implemented and b) ensure that you minimise the risk to data subjects’ rights and freedoms. Also having in mind that you need to take Data Protection by Design into account at the beginning of the design, carrying out a DPIA is often a useful tool to help you comply.
Here are some other aspects to consider when applying Data Protection by Design:
- Consider data protection issues as part of the design and implementation not only of systems, services or products but business practices as well, such as when you are drafting internal policies.
- Make sure that any public document you produce regarding data protection is written in plain and easily understood language.
- Be proactive; Consider risks to data subjects’ rights and freedoms before they occur and take appropriate measures to prevent harm to individuals. Carry out Privacy Impact Assessments or if required Data Protection Impact Assessments
- Make sure that data minimisation and purpose limitation principles are implemented properly.
- Do thorough due diligence before you employ a new data processor. Choose ones which provide sufficient guarantees of their technical and organisational measures for data protection by design.
- Offer strong privacy defaults, user-friendly options and controls, and respect user preferences.
Another important part is that this principle is involved in a broad range of business operations. It is normal for data protection professionals to think and prioritise data protection, especially at the design phase, but the reality is that data protection is considered at a later stage. This is why raising awareness within the organisation is an essential part of compliance with the Data Protection by Design Principle. As with most of the GDPR requirements, this is not a one-man show.
Despite its broad scope, think of Data Protection by Design as an enabler rather than a blocker. Complying with this principle will help you with your overall compliance and more specifically with your accountability requirements.