Countdown to GDPR #2: Privacy by Design and by Default
The deadline for compliance with GDPR is closing in and many of us are grappling with its regulations and their impact. In this blog series, we’re unpacking GDPR’s key provisions and exploring the implications for your compliance and technology teams.
We started the series with Countdown to GDPR: The Right to Be Forgotten where we detailed a key GDPR Rule – The Right to Erasure.
In this blog we tackle another significant rule— Privacy by Design/Default. Privacy by Design, or the notion of embedding provisions for privacy directly into the design of software, is a term familiar to both legal and technical communities. The GDPR now makes it mandatory, rather than a nice-to-have.
The Rule Explained
The Right to Privacy is the EU provision where organizations are obligated to implement technical and organizational measures in their IT systems to protect the privacy of the data subjects.
Article 25 of the GDPR, Data protection by Design and by Default, states that:
- …The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
- …The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed….
How do I Achieve Compliance?
As with any new regulation, it is open to multiple interpretations. What we do know is that to a demonstrable extent, technical measures to protect privacy must be incorporated in the design of the IT and application systems. The “privacy by default” caveat further mandates that only the minimally required amount of personal data should be processed and/or stored.
As privacy has been a long-standing software requirement, it would perhaps not require an overhaul of current processes/systems. They should, however, be re-examined in light of the regulation.
Here are a few pointers to get started:
- Get all your teams on the same secure page: Your security and engineering teams should work together to examine existing data collection, controlling/processing and storage workflows and policies to ensure that design processes are in place to meet compliance with this requirement of the GDPR.
- Demonstrate Compliance: Under the GDPR, demonstrating compliance is as important as adhering to the regulations. A Privacy Impact Assessment (PIA) of various systems will go a long way in doing both. It can also be used to guide future design decisions.
- Verify Vendor Agreements: Ratify your agreements with CSPs, vendors and data controllers to check that data collection and processing is minimal and secure.
What are your concerns about the GDPR and Privacy by Design? Add a comment below or drop me a note @scarabeetle and use #CountdowntoGDPR. Or listen to my discussion on GDPR on The Hot Aisle #73 podcast here where I talk about these issues and more.
In my next blog post in the series, I’ll write about the emerging role of a Data Protection Officer.Countdown to GDPR: The Right to Be Forgotten