GDPR - Privacy by design and default ... So what does this mean in practice?

Deborah Dillon, EU Data Privacy and GDPR Executive Consultant at Atos, explains 'privacy by design' and 'privacy by  default' and what this means for your organisation.

One of the key changes to be brought into the General Data Protection Regulation (GDPR) is that of “Privacy by Design” along with “Privacy by Default”. Basically, companies will now be obliged to take into account data privacy during design stages of all projects along with the lifecycle of the relevant data process.

For me personally, as a privacy person, this is a great concept. So many times in the past has a system been developed either in-house or nationally, where the final sign off lies with me – only for me to go back to the developers and say “you can’t do that with personal information!”. 'Grim Reaper to projects' was almost a term of endearment.

With “Privacy by Design and Default”, my Grim Reaper position vanishes! I am asked to help undertake a Privacy Impact Assessment with the development team right at the start of the project/system design.  

This implementation does not necessarily mean that an organisation must spend a large proportion of its project budget on this design, but to take more of a risk-based approach, taking into account the nature, purposes, context, and scope of the processing and their implications. This seems to be the preferred attitude of organisations due to the flexibility it affords, but it is yet to be tested, so caution should be advised here.

When deciding this, organisations should take into consideration a wide range of factors regarding the processing of personal data including the ease of collection, how the data can be suppressed (for example, if a customer chooses to not receive direct marketing) or how portable the data is under the GDPR.

Alongside the “Privacy by Design” issue lays the “Privacy by Default” obligation. Under this obligation, data controllers must implement appropriate measures both on a technical and organisation level to ensure that personal data collected is only used for the specific purpose mentioned. This means that the minimum required amount of personal data should be collected, minimise the processing and control their storage and accessibility.

So to summarise, the concept of Privacy by Design shouldn’t be too much of an issue for organisations which already possess a strong privacy policy and take data breaches into account when building new systems. However, the GDPR now makes this design mandatory rather than advisory, so being prepared is highly important and I can now take my cloak off and put down my scythe.