The GDPR makes data protection by design and by default a legal requirement for all organizations that process the personal data of EU individuals. But what does that mean in practice? And how can businesses comply?
In this article, we take a closer look at the concepts of data protection by design and data protection by default and how companies can meet these obligations.
What is data protection by design?
Data protection by design requires companies to embed data protection into all the systems, services, products, and business practices that involve personal data processing right from the start.
For companies that are subject to the GDPR, data protection can’t simply be an afterthought anymore. Instead, they need to make data protection an integral part of any product, service, system, or business practice.
Therefore, from the initial design phase, businesses need to consider:
- the intended processing activities,
- the risks that the processing activities pose to the data subject’s privacy, and
- the measures that can be taken to mitigate such risks and ensure data protection.
Ultimately, data protection by design means that organizations must build data protection into all the systems, products, services, and business practices that require personal data processing.
By placing data protection at the forefront of everything they do, companies can:
- minimize privacy risks and avoid data protection issues early on
- increase trust
- raise awareness about data protection across the entire organization
What is data protection by default?
Data protection by default is a principle according to which only the personal data that is strictly necessary to fulfil a specific purpose should be processed by default (without the data subject’s intervention). What’s more, companies are not allowed to:
- share the personal data with other individuals (unless the data subject gave their consent)
- process any additional personal data (unless the data subject gave their consent)
Ensuring data protection by design and data protection by default in practice
Here are 9 actionable steps that companies can take to ensure data protection by design and data protection by default.
1. Consider privacy issues and data protection measures at the design phase of products, services, systems, policies, processes, and procedures.
This means you must identify the privacy risks associated with the data processing activities you intend to carry out and figure out how to protect the data subject from those risks. Examples of data protection measures often include:
- pseudonymizing the personal data (replacing personally identifiable information with artificial identifiers so that it can’t identify the data subject)
- minimizing the personal data processing (only process personal data that is absolutely necessary to achieve a specific purpose and delete the data as soon as it no longer serves that purpose)
- ensuring transparency with respect to the functions and processing of personal data
- enabling individuals to monitor the processing of their personal data
- creating and improving security features such as access control, multi-factor authentication, regular backups, encryption, etc.
2. Make data protection an essential part of any product, service, system, policy, procedure, and process.
Once you have identified the appropriate measures to protect personal data, you must build them into your products, services, systems, and business practices from the very start. This way, you can ensure that data protection is at the core of everything you do.
3. Ensure that the most privacy-friendly settings are the default settings.
Companies are required to set the strictest available privacy settings as the default. This means that the highest level of data protection should be ensured automatically, without the data subject’s intervention.
4. Provide clear information to the data subject.
Companies should always let the data subject know:
- what personal data they will process,
- what is the processing purpose, and
- how they will process the personal data.
This information should be presented in a clear way, using plain language.
5. Only process the personal data necessary to achieve the initially specified purpose.
Businesses should only process personal data that is essential to achieving the initially specified processing purpose. If they want to process the data for a different purpose, they always need to ask for the data subject’s consent.
6. Make sure that data subjects can easily exercise their rights.
Companies need to give the data subjects control over their personal data and enable them to easily exercise their rights. This means that it should be simple for the data subject to find the following information:
- the contact details of the person to whom they can address their requests (e.g., contact information of the DPO)
- a step-by-step guide on how they can exercise their rights
7. Only rely on third parties that are GDPR-compliant.
Companies should only work with a data processor or third-party software providers that adhere to the principles of data protection by design and by default and can demonstrate their compliance.
Penneo is a software provider that meets all the GDPR requirements and can demonstrate its GDPR compliance via an ISAE 3000 report. Both Penneo Sign and Penneo KYC are designed with data protection in mind, so you can rest assured that your data is in good hands.
8. Consider data protection throughout the entire lifecycle of your processing activities.
Data protection shouldn’t be considered only at the beginning of your processing activities but also throughout their entire lifecycle. This means that you need to ensure that you process and dispose of personal data in a secure way.
9. Rely on privacy-enhancing technologies (PETs)
Privacy-enhancing technologies are designed to support privacy and data protection. Examples of PETs are: