Privacy by design or data protection by design is a real requirement under the General Data Protection Regulation (GDPR) for organisations that the GDPR applies to. It is no longer an abstract and unenforceable legal concept. You now have to implement the various components of this requirement whenever you process personal data in such a way that it can adversely affect the rights of data subjects. What are these various components of the requirement? Do I have to comply with the privacy by design or data protection by design requirement? And how do I comply?
What is Privacy by Design or Data Protection by Design?
Privacy by design is about ensuring that you protect the rights of data subjects when you develop your applications, websites, or other offerings related to information and technology. It is also about creating a culture of respecting privacy in organisations. In order to do this, the GDPR requires you to think carefully about data privacy at the earliest stages of all projects where you will process a lot of personal data.
Once you’ve implemented privacy by design, you get to run projects that have various built-in safety mechanisms to guard against any avoidable or preventable data breaches. You rest assured in the knowledge that your projects are, by their very design, run in a way that protects personal data. This all means that there is a good reason for having the privacy by design requirement.
Do I have to comply with the requirement?
The short answer is: Most likely. There is a big chance that your processing activities will involve processing a lot of personal data, or that you’ll be processing it in such a way that you could adversely affect the rights of data subjects. In such a case, you have to comply with the requirement. The requirement is so important that if you don’t comply, a GDPR supervisory authority may issue a fine against you. But don’t despair just yet. There is hope. The GDPR doesn’t require you to:
- implement the most expensive measures and bankrupt your organisation,
- take unreasonable and impractical steps, or
- pay unreasonable fines if you have tried your best to comply, or the failure to comply is just not your fault.
When the GDPR doesn’t apply to you, the answer to the question “Do I have to comply?” may just be that you don’t have to. In the South African context, for example, POPIA doesn’t explicitly require you to implement privacy-by-design measures. In its current form, it only indirectly requires privacy by design. It requires you to implement reasonable and appropriate data protection measures that are on par with industry or global standards (the GDPR is widely considered to be that global standard) and, in that way, basically requires you to follow the GDPR’s lead. In addition, POPIA also empowers the Information Regulator to publish codes of good practice and regulations and to approach parliament for amendments to POPIA, after having considered global standards of data protection (the GDPR). This means that the Information Regulator may still make POPIA more in line with the GDPR, and, in that way, require you to implement privacy-by-design measures.
How do I comply with the requirement?
Compliance with the privacy by design requirement involves both thinking and taking action. The GDPR requires you start taking action and implementing various technical and non-technical measures even at the stage when you haven’t yet begun with your project – when you might still be planning or thinking about how you will process personal data. This means that you will need to put the right policies and teams in place, use the right software, and maybe even adapt your procedures and technology so that protecting data is one of the main priorities. One such way to take action would be to use software and technology that, for example, makes it almost impossible for unauthorised persons to trace the data you have used back to specific data subjects.
In the planning stage, you must consider:
- how much personal data you will process and whether it’s necessary to process that amount in order to achieve your purpose, and
- whether there aren’t any other less risky means you can use to process the personal data.
In the action stage, you must:
- implement, into your systems and projects, the various technical and non-technical measures you have identified as being necessary, and
- ensure that you properly integrate those measures into your systems and project, so that your processing activities work well and comply with the GDPR.
The Information and Privacy Commissioner of Ontario also has a further discussion on this and the seven foundational principles of privacy by design.
Actions you can take
- Empower yourself with practical knowledge by attending a webinar or GDPR workshop.
- Boost your compliance by asking us to help you appoint a Data Protection Officer to guide your compliance.
- Help you incorporate privacy into your design by conducting a privacy or data protection impact assessment when you start a project.
- Know whether you have to comply with the privacy by design requirement by asking us to draft an opinion advising you.
- Understand how to comply by asking us to advise you on your compliance measures.