Top tips for implementing ‘Data Protection by Design & Default’
The GDPR requires all businesses to implement ‘Data Protection by Design & Default’ but what does that mean in practice and how can businesses practically comply?
The GDPR requires all businesses to implement ‘Data Protection by Design & Default’ but what does that mean in practice and how can businesses practically comply?
The concept of ‘data protection by design’ is not a new one – in the UK the ICO has always advocated an approach that businesses should, as a matter of good-practice, consider data protection implications and implement appropriate protective measures throughout the implementation and lifecycle of business or processing activities.
Under the GDPR, this approach has now been enshrined in law.
Article 25 of the GDPR requires every business to take account of data protection and privacy at all stages in the implementation of new processing activities. Businesses must then ensure that they build appropriate technical and organisational measures to implement the data protection principles and safeguard individual’s rights into that process.
It can however be difficult for many businesses to ensure that this happens in practice. New projects and processes will often by led by teams who won’t have data protection and privacy at the forefront of their minds. Often a data protection question will be asked when a project is already at an advanced stage, technical solutions already agreed on and copy already drafted.
As well as breaching Article 25 obligations, that approach can also cause other challenges for businesses. Compliance can often require technical solutions to be put in place – either to obtain appropriate consents, to give fair processing notices or to change the types of data that are collected. Considering data protection and privacy at a late stage can therefore lead to a requirement for costly changes and delays to project implementation.
How does your organisation therefore ensure that ‘data protection by design’ is implemented across your business? Here are our top tips for businesses to meet these obligations:
- Appoint a person responsible for data protection
Even where you are not subject to an obligation to appoint a statutory Data Protection Officer, you should allocate a person within your organisation who is responsible for data protection and privacy compliance.
Visibility is important for that individual – people responsible for implementing new projects and technologies must know where they can go to get further support on data protection issues.
That person must also have enough capacity, knowledge and authority to take on that role and to ensure that changes are implemented where required. - Training
New ideas and processes that involve the processing of personal data can come from any part of your business.
Every person in your business must therefore understand what personal data is, what amounts to ‘processing personal data’ and where to go for further support.
It is therefore important to ensure that those individuals are sufficiently trained to recognise where data protection and privacy may impact on their proposed new business activity. - Have a clear procedure in place
One of the first questions that you should ask when implementing any new processes or activities is ‘is personal data being processed?’
If it is, that should trigger a process where further advice is sought about the data protection and privacy implications of that proposed process and how to address any risks.
You should document a clear policy which sets out the initial questions that should be asked and the next steps to consider the risks. - Ensure that risks are addressed
Once it is identified that a proposed process or activity involves the processing of personal data, any risks of non-compliance or to the rights of data subjects should be identified.
Steps should then be taken to address those risks.
Those steps could range from changing the personal data that is processed so that it is only that information which is necessary for the particular purpose, implementing technical measures to give notices or obtain consent (as required) or putting in place access controls or techniques such as pseudonymisation or encryption, to keep personal data secure. - Make a distinction between ‘data protection by design’ and ‘data protection impact assessments’ (DPIAs).
Where it is determined that a processing activity is likely to result in a high risk to data subjects, a DPIA may also be required.
‘Data protection by design’ applies to all processing activities implemented across your organisation whereas a DPIA will only be required in limited circumstances.
Internal policies should make a clear distinction between the two, ensuring that full DPIAs, which may require a more in-depth assessment of the risks and mitigations, are undertaken where required. - Are there any third parties involved?
Often, when implementing a new technology designed by a third-party, that third-party will provide a copy of their DPIA as ‘proof’ they are compliant. Although it is certainly helpful and can act as a flag to consider data protection and privacy issues, organisations should ensure that they don’t rely on it. That DPIA has been undertaken from the perspective of that third-party, tailored to its proposed processing activities and considered the risks for that third party only.
The considerations for your organisation may be different and you will have your own obligations to comply. You should therefore ensure that ‘data protection by design’ is implemented from your organisation’s perspective in relation to both the processing activity itself and the relationship with that third party.
This article was first published by Data Protection Magazine.
You may be interested in...
Legal Update
CyberCube’s Global Threat Outlook: The evolving threat of cyber operations
Legal Update
A new digital safe space – How does the EU Digital Services Act affect insurers?
Online Event
Data Shared Insights: Information sharing – why, when, how?
Legal Update
ICO consultation on fertility tracking apps
Legal Update
“TOBA traps” - general exposure risk under existing TOBAs
Published Article
UK: Legal issues with deepfakes
Opinion
The Metaverse's influence on real estate: Implications for commercial retail clients and law firms
Legal Update
New guidance for employers on Subject Access Requests published by the ICO
Legal Update
Ali Round 2 - High Court gives further guidance on causation and quantum for data breaches
Press Release
Browne Jacobson advise Management on One Equity Partners’ significant investment into digital media group MSQ
Press Release
Browne Jacobson welcomes former ICO lawyer to support growing UK&I data privacy and tech practice
Legal Update
AI modelling biases in quote engines
Legal Update
MiCA: The Comprehensive Crypto Regulation Set to revolutionise the EU
Legal Update
Update on data protection claims - Austrian Post Case
Legal Update
Knowledge exchange and intellectual property
Press Release
Browne Jacobson launches specialist Ascensus programme for in house lawyers and business leaders
Opinion
The UK’s Data Protection and Digital Information Bill (No. 2): For universities
Opinion
Mopping up after a leak – how businesses can take steps to protect their confidential information
Legal Update
UK Government publishes the Online Safety Bill: an overview
Legal Update
Cyber security and data breaches
Legal Update
Update on the Digital Services Act (“DSA”) – Important Dates and Deadlines Looming
Legal Update
The rising number of cyber-attacks
Legal Update
The continued threat of piracy in Southeast Asian waters
Legal Update
Government publishes its proposals for expanding the Scope of the Network and Information Systems Regulations 2018
Guide
FAQs - converting to academy status
Legal Update
Protecting children and their data in the online environment
Legal Update
‘Big Game Hunting’ – the new face of cyber extortion?
Article
‘Decentralised and autonomous’ – evolution or misunderstanding of unincorporated association law?
Legal Update
Top three training topics 2022-23
As well as providing day-to-day support to help you focus on managing your settings, we also provide training and professional development on a range of topics to keep you and your staff up-to-date.
Press Release
Law firm picks up record breaking sixth Education Investor Award
Browne Jacobson’s education team has been named as winner of the ‘Legal Advisors to Education Institutions’ category at the Education Investor Awards 2022 for a record sixth time.
Press Release
Thousands take part in virtual careers event to help increase diversity in the legal profession
Over 3000 young people from across the UK and Ireland took part in a virtual legal careers insight event, aimed at making the legal profession more diverse.
Published Article
Bruce Willis AI and the problem with deepfakes
A deepfake of Bruce Willis is advertising Russian mobile phones. Many great artistic and metaphysical questions are raised by this performance. However, this article is going to look at the intellectual property law implications, from a UK perspective.
Legal Update
DSA approved: Targeted Advertising Rules explained
Legal Update
Economic crime and cybercrime
It is clear that the digital landscape, often termed cyberspace, is a man-made environment, in which human behaviour dominates and where technology both influences and aids our role in it — through the internet, telecoms and networked computer systems, which are often interdependent. The extent to which any organisation is potentially vulnerable to cyber-attack depends on how well these elements are aligned.
Legal Update
Let’s be direct – doubly so
Legal Update
The Ukraine War: Aviation and cyber issues
Legal Update
Facing the threat of cyber security breaches
Universities and colleges are not immune from deception by unscrupulous bad actors. The extent to which educational institutions can manage and control risk not only depends on financial management and internal controls, but also the robustness of security and processes which can be exploited from outside the organisation.
Legal Update
Browne Jacobson’s market leading Education expertise recognised again in latest Legal 500 rankings
The new set of Legal 500 directory rankings have been published and we are proud to once again be recognised as one of the country’s leading firms advising the Education sector.
Legal Update
Data reform in the UK
Since the UK left the EU and are now able to move away from the EU data protection regime, the UK government have implemented a national data strategy with the aim of reducing the burden on organisations but maintaining a high data protection standard.
Legal Update
Are local authority companies subject to the Freedom of Information Act 2000?
In this article we look at local authority companies and whether they are subject to the Freedom of Information Act 2000. And for those that are, what information are they legally obliged to submit.