Top tips for implementing ‘Data Protection by Design & Default’
The GDPR requires all businesses to implement ‘Data Protection by Design & Default’ but what does that mean in practice and how can businesses practically comply?
The GDPR requires all businesses to implement ‘Data Protection by Design & Default’ but what does that mean in practice and how can businesses practically comply?
The concept of ‘data protection by design’ is not a new one – in the UK the ICO has always advocated an approach that businesses should, as a matter of good-practice, consider data protection implications and implement appropriate protective measures throughout the implementation and lifecycle of business or processing activities.
Under the GDPR, this approach has now been enshrined in law.
Article 25 of the GDPR requires every business to take account of data protection and privacy at all stages in the implementation of new processing activities. Businesses must then ensure that they build appropriate technical and organisational measures to implement the data protection principles and safeguard individual’s rights into that process.
It can however be difficult for many businesses to ensure that this happens in practice. New projects and processes will often by led by teams who won’t have data protection and privacy at the forefront of their minds. Often a data protection question will be asked when a project is already at an advanced stage, technical solutions already agreed on and copy already drafted.
As well as breaching Article 25 obligations, that approach can also cause other challenges for businesses. Compliance can often require technical solutions to be put in place – either to obtain appropriate consents, to give fair processing notices or to change the types of data that are collected. Considering data protection and privacy at a late stage can therefore lead to a requirement for costly changes and delays to project implementation.
How does your organisation therefore ensure that ‘data protection by design’ is implemented across your business? Here are our top tips for businesses to meet these obligations:
- Appoint a person responsible for data protection
Even where you are not subject to an obligation to appoint a statutory Data Protection Officer, you should allocate a person within your organisation who is responsible for data protection and privacy compliance.
Visibility is important for that individual – people responsible for implementing new projects and technologies must know where they can go to get further support on data protection issues.
That person must also have enough capacity, knowledge and authority to take on that role and to ensure that changes are implemented where required. - Training
New ideas and processes that involve the processing of personal data can come from any part of your business.
Every person in your business must therefore understand what personal data is, what amounts to ‘processing personal data’ and where to go for further support.
It is therefore important to ensure that those individuals are sufficiently trained to recognise where data protection and privacy may impact on their proposed new business activity. - Have a clear procedure in place
One of the first questions that you should ask when implementing any new processes or activities is ‘is personal data being processed?’
If it is, that should trigger a process where further advice is sought about the data protection and privacy implications of that proposed process and how to address any risks.
You should document a clear policy which sets out the initial questions that should be asked and the next steps to consider the risks. - Ensure that risks are addressed
Once it is identified that a proposed process or activity involves the processing of personal data, any risks of non-compliance or to the rights of data subjects should be identified.
Steps should then be taken to address those risks.
Those steps could range from changing the personal data that is processed so that it is only that information which is necessary for the particular purpose, implementing technical measures to give notices or obtain consent (as required) or putting in place access controls or techniques such as pseudonymisation or encryption, to keep personal data secure. - Make a distinction between ‘data protection by design’ and ‘data protection impact assessments’ (DPIAs).
Where it is determined that a processing activity is likely to result in a high risk to data subjects, a DPIA may also be required.
‘Data protection by design’ applies to all processing activities implemented across your organisation whereas a DPIA will only be required in limited circumstances.
Internal policies should make a clear distinction between the two, ensuring that full DPIAs, which may require a more in-depth assessment of the risks and mitigations, are undertaken where required. - Are there any third parties involved?
Often, when implementing a new technology designed by a third-party, that third-party will provide a copy of their DPIA as ‘proof’ they are compliant. Although it is certainly helpful and can act as a flag to consider data protection and privacy issues, organisations should ensure that they don’t rely on it. That DPIA has been undertaken from the perspective of that third-party, tailored to its proposed processing activities and considered the risks for that third party only.
The considerations for your organisation may be different and you will have your own obligations to comply. You should therefore ensure that ‘data protection by design’ is implemented from your organisation’s perspective in relation to both the processing activity itself and the relationship with that third party.
This article was first published by Data Protection Magazine.
You may be interested in...
Online Event
Shared Insights: Data and Information Governance Issues
Legal Update
AI modelling biases in quote engines
Legal Update
MiCA: The Comprehensive Crypto Regulation Set to revolutionise the EU
Legal Update
Update on data protection claims - Austrian Post Case
Legal Update
Knowledge exchange and intellectual property
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Opinion
The UK’s Data Protection and Digital Information Bill (No. 2): For universities
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
UK Government publishes the Online Safety Bill: an overview
Legal Update
Cyber security and data breaches
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
The rising number of cyber-attacks
Legal Update
The continued threat of piracy in Southeast Asian waters
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Guide
FAQs - converting to academy status
Legal Update
Protecting children and their data in the online environment
Legal Update
‘Big Game Hunting’ – the new face of cyber extortion?
Article
‘Decentralised and autonomous’ – evolution or misunderstanding of unincorporated association law?
Press Release
International leading digital disruption expert joins Browne Jacobson
Legal Update
Top three training topics 2022-23
As well as providing day-to-day support to help you focus on managing your settings, we also provide training and professional development on a range of topics to keep you and your staff up-to-date.
Press Release
Law firm picks up record breaking sixth Education Investor Award
Browne Jacobson’s education team has been named as winner of the ‘Legal Advisors to Education Institutions’ category at the Education Investor Awards 2022 for a record sixth time.
Press Release
Thousands take part in virtual careers event to help increase diversity in the legal profession
Over 3000 young people from across the UK and Ireland took part in a virtual legal careers insight event, aimed at making the legal profession more diverse.
Published Article
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Legal Update
DSA approved: Targeted Advertising Rules explained
The Digital Services Act (the “DSA”) has today (27 October) been given the go-ahead by the EU Council and will enter into force by early 2024.
Legal Update
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Legal Update
Let’s be direct – doubly so
Legal Update
The Ukraine War: Aviation and cyber issues
Legal Update
Facing the threat of cyber security breaches
Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Legal Update
Browne Jacobson’s market leading Education expertise recognised again in latest Legal 500 rankings
The new set of Legal 500 directory rankings have been published and we are proud to once again be recognised as one of the country’s leading firms advising the Education sector.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.
Legal Update
Digital Markets Act and Data Platforms - FRANDs for life?
The Digital Markets Act (the “DMA”) joins the dots between competition law and data protection law and actively targets data-driven platforms. It is also a comprehensive regulation to take note of, with familiar GDPR-style fines tied to turnover.
Legal Update
Avoiding the pitfalls of WhatsApp
The use of social media platforms and applications can have overwhelmingly positive benefits for public bodies. However, regulatory action recently taken by the Information Commissioner, has highlighted various pitfalls that public bodies should seek to avoid if allowing staff to use social media as a communication tool.
Legal Update
The physical consequences of cyber attacks
Legal Update
be connected newsletter for higher education - May 2022
In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.
Legal Update
ICO consultation on research provisions guidance
The data protection legislation (namely, the UK GDPR and Data Protection Act 2018) contain various provisions that deal with the processing of personal data for research purposes.
Press Release
Browne Jacobson’s C-suite exec level coaching team appoints two new education specialists
National law firm Browne Jacobson has grown its team behind its dedicated Space + Time executive coaching programme with the addition of two more qualified coaches who will work with clients in the education sector.
On-Demand
NFTs and Smart Contracts - an in-house lawyers perspective
Legal Update
More good news for data controllers: High Court finds local authority not vicariously liable for the actions of social worker who went off on a "frolic of her own"
Public bodies will be pleased to hear that another significant court decision (Ali v Luton Borough Council [2022] EWHC 132 (QB)) has been made that is favourable to data controllers.
Legal Update
be connected newsletter for higher education - February 2022
In this edition we provide you with the latest in legal updates, news and insight from the higher education sector.