One of the key changes to be brought into the General Data Protection Regulation (GDPR) is that of “Privacy by Design” along with “Privacy by Default”. In essence, companies will now be obliged to take into account data privacy during design stages of all projects along with the lifecycle of the relevant data process.
Currently, the EU rules regarding Data Protection do not have this concept and no EU law ensures that these measures have to be taken into account. As such, the only obligation is that the data controller has to take appropriate measures in order to protect personal data from unlawful processing.
As the GDPR is still around a year away, there has been much said about what this entails and what is required. At the moment, without it being tested within the European Courts, a few conclusions can be made from the wording and the requirements of the GDPR as to what this means.
Firstly, ‘Privacy by Design’ is a well-known term within both legal and technical communities. The GDPR merely provides the recognition of this right and how it is to be enforced.
Through the GDPR Privacy by Design requirements, any and all businesses wishing to be compliant will have to design policies, procedures and systems which comply with the GDPR from the inception of the product’s or processes’ development.
This implementation does not necessarily mean that a company must spend a large proportion of it’s project budget on this design, but to take more of a risk-based approach, taking into account the nature, purposes, context, and scope of the processing and their implications. This seems to be the preferred attitude of scholars and businesses due to the flexibility it affords, but it is yet to be tested, so caution should be advised here.
When deciding this, businesses should take into consideration a wide array of factors regarding the processing of personal data including the ease of collection, how the data can be suppressed (for example, if a customer chooses to not receive direct marketing) or how portable the data is under the GDPR.
Alongside the “Privacy by Design” issue lays the “Privacy by Default” obligation. Under this obligation, data controllers must implement appropriate measures both on a technical and organisation level to ensure that personal data collected is only used for the specific purpose mentioned. This means that the minimum required amount of personal data should be collected, minimise the processing and control their storage and accessibility.
In terms of the practical implications, this remains to be fully tested as mentioned, but it has been suggested that, in preparation for this, businesses should seek to have as much in place as possible.
Firstly, businesses should already implement a privacy impact assessment template which can then be filled in for each new system which comes into place.
Secondly, the standard contracts in place with data processors should set out the liability and risk allocation between parties for these requirements, to minimise large-scale issues occurring.
On a technical level, data collection techniques including cookies should be revised to ensure that excessive data collection is not occurring and that automated deletion processes are in place to remove personal data after a set period of time.