Privacy by design or data protection by design is a real requirement under the General Data Protection Regulation (GDPR). It is no longer an abstract and unenforceable legal concept. You now have to implement the various components of this requirement whenever you process personal data in such a way that it can adversely affect the rights of data subjects. What are these various components of the requirement? Do I have to comply with the privacy by design or data protection by design requirement? And how do I comply?
What is Privacy by Design or Data Protection by Design?
Privacy by design is about ensuring that you protect the rights of data subjects when you develop your applications, websites, or other offerings related to information and technology. It is also about creating a culture of respecting privacy in organisations. In order to do this, the GDPR requires you to think carefully about data privacy at the earliest stages of all projects where you will process a lot of personal data.
In implementing privacy by design, you get to run projects that have various built-in safety mechanisms to guard against avoidable or preventable data breaches. This all means that there is a good reason for having the privacy by design requirement.
Do I have to comply with the requirement?
The short answer is: Most likely. There is a big chance that a lot of your processing activities will involve processing a lot of personal data, or processing it in such a way that you could adversely affect the rights of data subjects. In such a case, you have to comply with the requirement. The requirement is so important that if you don’t comply, a GDPR supervisory authority may be fine you. But don’t despair just yet. There is hope. The GDPR doesn’t require you to:
- implement the most expensive measures and bankrupt your organisation,
- take unreasonable and impractical steps,
- pay unreasonable fines if you have tried your best to comply, or the failure to comply is just not your fault.
How do I comply with the requirement?
Compliance with the privacy by design requirement involves both thinking and taking action. The GDPR requires you start taking action and implementing various technical and non-technical measures even at the stage when you haven’t yet begun with your project – when you might still be planning or thinking about how you will process personal data. This means that you will need to put the right policies and teams in place, use the right software, and maybe even adapt your procedures and technology so that protecting data is one of the main priorities. One such way to take action would be to use software and technology that, for example, makes it almost impossible for unauthorised persons to trace the data you have used back to specific data subjects.
In the planning stage, you must consider:
- how much personal data you will process and whether it’s necessary to process that amount in order to achieve your purpose, and
- whether there aren’t any other less risky means you can use to process the personal data.
In the action stage, you must:
- implement, into your systems and projects, the various technical and non-technical measures you have identified as being necessary, and
- ensure that you properly integrate those measures into your systems and project, so that your processing activities work well and comply with the GDPR.
The Information and Privacy Commissioner of Ontario also has a further discussion on this and the seven foundational principles of privacy by design.
Actions you can take
- Empower yourself with practical knowledge by attending a webinar or GDPR workshop.
- Boost your compliance by asking us to help you appoint a Data Protection Officer to guide your compliance.
- Help you incorporate privacy into your design by conducting a privacy or data protection impact assessment when you start a project.
- Know whether you have to comply with the privacy by design requirement by asking us to draft an opinion advising you.
- Understand how to comply by asking us to advise you on your compliance measures.