Data protection by design and default has long been promoted by the Information Commissioner's Office as best practice. The General Data Protection Regulation makes that best practice a mandatory obligation.
Under the GDPR, the University must:
1. consider data protection issues during project planning, system development, process design and implementation;
2. make data protection a core component of our systems and services;
3. put data subjects at the very centre of our thinking;
4. put in place appropriate technical and organisational measures to safeguard data.
Essentially, organisations need to ensure privacy issues are fully explored and addressed during project planning and process/system design stages and that appropriate technical and organisational measures are put in place to ensure that:
1. processing activities are GDPR compliant;
2. the rights and interests of data subjects are protected.
Article 25 (a) of the Regulation states:
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
We are awaiting further guidance from the Information Commissioner's Office but the following examples provide an indication of the types of project likely to be covered:
When determining what measures to put in place, organisations will need to take into account:
In terms of possible mechanisms that could be engaged to reduce risk and demonstrate compliance, organisations could make use of:
By embedding data protection considerations into project planning activities and making use of tools including Privacy Impact Assessments (PIAs). The University will issue a PIA Policy, template and associated guidance shortly.
For further information see, https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/accountability-and-governance/data-protection-by-design-and-default/.