The May 25th date for GDPR compliance is getting nearer.
A core element embedded within the new legislation is a requirement for organisations to adhere to the principle of ‘data protection by design and by default.’
This is also referred to as ‘privacy by design.’
The problem is, it is not very clear what these terms actually mean and what we will all be required to do.
Some clarity would be useful.
To help us understand what we will fundamentally be asked do, we must take a step back and revisit the core GDPR principles.
GDPR Article 25 gives us the best clarification here in terms of data protection by design and this details a number of factors that should be taken into account by organisations and data controllers.
These include the:
Means for processing
Cost of implementation
Context and purpose of processing
Nature and scope of processing
The potential risks around the rights and freedoms of data subject on any submitted (or having submitted) data.
Article 25 tells us that each organisation’s data controller must:
“Implement appropriate technical and organisational measures such as pseudonymisation which are designed to implement data-protection principles such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
Article 25 continues:
“…by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.”
When, as data controller or business owner, all we are trying to do is comply with the requirements, this leaves plenty of room for subjectivity and inconsistency, given the many dependencies which can justify different outcomes.
Let me see if I can bring some additional clarification.
Further relative guidance can be found within ‘Recital 78’. This section tells us:
“When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.”
This will imply a new perspective on the vendor selection process by controllers and perhaps more burdensome RFI and RFP processes.
The requirements are imposed upon potential suppliers of such applications, services and products that process personal data (on behalf of controllers).
Actions to take
I suggest that for the privacy by design principle two steps should be taken by organisations in preparation for 25th May:
- Create for your current suppliers, a questionnaire asking them how their solutions will meet the privacy by design and privacy by default principle.
You should send this to them with a deadline date for completion and return.
- When you have your answers from your suppliers you should then prepare a Privacy Risk Assessment. This is required when you are determining the means for processing and also, at the time of processing.
To aid with this, the UK Information Commissioner’s Office (ICO) has published guidance on privacy by design. Currently, this only relates to the existing directive but it is a good reference point.
The ICO guidance states that privacy and data protection should be a key consideration in the early stages of any project.
Doing this will ensure it is embedded throughout its lifecycle rather than being an afterthought or ignored altogether.
ICO also outlined eight principles of privacy by design.
- Proactive not reactive
- Preventative not remedial (privacy by design does not wait for privacy risks to materialise)
- Privacy must be the default setting (no action is required by the individual to protect their privacy, it should be built into the system by default)
- Privacy must be embedded into the design (privacy becomes an essential component of the core delivery)
- Full functionality equals positive-sum not zero-sum (privacy by design avoids the false dichotomies such as privacy versus security, thereby demonstrating that it is possible to have both)
- End to end security and full lifecycle protection (privacy by design ensures cradle to grave, secure management of information)
- Visibility and transparency (it is important that component parts and operations remain visible and transparent to users and providers)
- Respect user privacy and keep it user-centric (protect the interests of the individual by offering measures such as strong privacy defaults, by giving appropriate notice and by adding in empowering user-friendly options).
The ICO privacy by design advice also provides a method for proactively embedding privacy into information technology, business practices and network infrastructures.
This is detailed here: https://www.ipc.on.ca/wpcontent/uploads/2013/09/pbd-primer.pdf
Other useful guidance
Back in June 2017, The European Data Protection Supervisor also issued guiding principles on this topic.
This told us that it requires organisations to:
- Find technical solutions
- Put in place delivery structures
- Continuously learn or collect knowledge
The European Data Protection Supervisor’s guiding principles confirm therefore (as do the ICO principles) that compliance must focus on protection from the very beginning of an improved data processing journey by putting new data management structures in place and also by focusing on the actual outcome (i.e. whether this will work/ is working and also if the personal data will actually be secure/ is secure).
Simply ticking boxes therefore, will not be enough.
Have a look also at the Data Protection by Design Toolkit.
You can use this to form the basis of the questionnaire for your suppliers, as advised above.
Awaiting further clarification
Whilst it is clear that privacy by design requires organisations to gather information on their suppliers and then perform privacy impact/ risk assessments, we are now all waiting for additional clarity from ICO and also The European Data Protection Supervisor.
Indeed, The European Data Protection Supervisor has indicated that many elements still need further guidance to enable organisations to adopt a step-by-step methodology to privacy by design and then meet full compliance.
Let’s hope this further clarification is made available before May 25th!