0370 270 6000

Top tips for implementing ‘Data Protection by Design & Default’

27 April 2020

The GDPR requires all businesses to implement ‘Data Protection by Design & Default’ but what does that mean in practice and how can businesses practically comply?

The concept of ‘data protection by design’ is not a new one – in the UK the ICO has always advocated an approach that businesses should, as a matter of good-practice, consider data protection implications and implement appropriate protective measures throughout the implementation and lifecycle of business or processing activities.

Under the GDPR, this approach has now been enshrined in law.

Article 25 of the GDPR requires every business to take account of data protection and privacy at all stages in the implementation of new processing activities. Businesses must then ensure that they build appropriate technical and organisational measures to implement the data protection principles and safeguard individual’s rights into that process.

It can however be difficult for many businesses to ensure that this happens in practice. New projects and processes will often by led by teams who won’t have data protection and privacy at the forefront of their minds. Often a data protection question will be asked when a project is already at an advanced stage, technical solutions already agreed on and copy already drafted.

As well as breaching Article 25 obligations, that approach can also cause other challenges for businesses. Compliance can often require technical solutions to be put in place – either to obtain appropriate consents, to give fair processing notices or to change the types of data that are collected. Considering data protection and privacy at a late stage can therefore lead to a requirement for costly changes and delays to project implementation.

How does your organisation therefore ensure that ‘data protection by design’ is implemented across your business? Here are our top tips for businesses to meet these obligations:

  1. Appoint a person responsible for data protection

    Even where you are not subject to an obligation to appoint a statutory Data Protection Officer, you should allocate a person within your organisation who is responsible for data protection and privacy compliance.

    Visibility is important for that individual – people responsible for implementing new projects and technologies must know where they can go to get further support on data protection issues.

    That person must also have enough capacity, knowledge and authority to take on that role and to ensure that changes are implemented where required.

  2. Training

    New ideas and processes that involve the processing of personal data can come from any part of your business.

    Every person in your business must therefore understand what personal data is, what amounts to ‘processing personal data’ and where to go for further support.

    It is therefore important to ensure that those individuals are sufficiently trained to recognise where data protection and privacy may impact on their proposed new business activity.

  3. Have a clear procedure in place

    One of the first questions that you should ask when implementing any new processes or activities is ‘is personal data being processed?’

    If it is, that should trigger a process where further advice is sought about the data protection and privacy implications of that proposed process and how to address any risks.

    You should document a clear policy which sets out the initial questions that should be asked and the next steps to consider the risks.

  4. Ensure that risks are addressed

    Once it is identified that a proposed process or activity involves the processing of personal data, any risks of non-compliance or to the rights of data subjects should be identified.

    Steps should then be taken to address those risks.

    Those steps could range from changing the personal data that is processed so that it is only that information which is necessary for the particular purpose, implementing technical measures to give notices or obtain consent (as required) or putting in place access controls or techniques such as pseudonymisation or encryption, to keep personal data secure.

  5. Make a distinction between ‘data protection by design’ and ‘data protection impact assessments’ (DPIAs).

    Where it is determined that a processing activity is likely to result in a high risk to data subjects, a DPIA may also be required.

    ‘Data protection by design’ applies to all processing activities implemented across your organisation whereas a DPIA will only be required in limited circumstances.

    Internal policies should make a clear distinction between the two, ensuring that full DPIAs, which may require a more in-depth assessment of the risks and mitigations, are undertaken where required.

  6. Are there any third parties involved?

    Often, when implementing a new technology designed by a third-party, that third-party will provide a copy of their DPIA as ‘proof’ they are compliant. Although it is certainly helpful and can act as a flag to consider data protection and privacy issues, organisations should ensure that they don’t rely on it. That DPIA has been undertaken from the perspective of that third-party, tailored to its proposed processing activities and considered the risks for that third party only.

    The considerations for your organisation may be different and you will have your own obligations to comply. You should therefore ensure that ‘data protection by design’ is implemented from your organisation’s perspective in relation to both the processing activity itself and the relationship with that third party.

This article was first published by Data Protection Magazine.

Focus on...

Grievances, complaints and whistleblowing. Managing the impact of difficult behaviour

In the first of our two-part webinar series on ‘managing the impact of difficult employee behaviour’ regulatory and employment experts Ros Foster and James Tait look at what is, and what isn’t, whistleblowing in the context of grievance and complaints procedures.


Press releases

Browne Jacobson dealmakers advise shareholders on the sale of automotive glass distributor Charles Pugh to international sustainable car care group

Browne Jacobson’s corporate dealmakers have advised the shareholders on the sale of UK market leading automotive glass specialists, Charles Pugh Holdings to Swedish listed company, Cary Group for an undisclosed sum.


Press releases

Browne Jacobson successfully appeal personal injury claim against Fulham Football Club

Browne Jacobson LLP, acting for Fulham Football Club, have succeeded on appeal in overturning an earlier court ruling that the club was liable for a sliding tackle made by one of its former under 18 players, Jayden Harris, in the course of a competitive match.


Legal updates

Integrated Care Systems: practical steps for 1 July 2022

ICSs have been introduced with the intention of uniting the operations of hospitals, community-based services, and health and social care bodies across their respective places.