Data protection by design and default 

Background 

The concept of data protection by design and default has long been promoted by the Information Commissioner's Office as best practice. The General Data Protection Regulation makes that best practice a mandatory obligation. 

Essentially, organisations will need to ensure privacy issues are fully explored and addressed during project planning and process/system design stages and that appropriate technical and organisational measures are put in place to ensure that: 

1. processing activities are GDPR compliant;

2. the rights and interests of data subjects are protected. 

Article 25 (a) of the Regulation states:

The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.   

What kind of projects will be covered? 

We are awaiting further guidance from the Information Commissioner's Office but the following examples provide an indication of the types of project likely to be covered: 

  • building or migrating to new IT systems for storing or accessing personal data; 
  • developing or amending policy of strategies that have privacy implications; 
  • embarking on new data sharing initiatives;
  • using data for new purposes.  

What technical and organisational measures will need to be taken? 

When determining what measures to put in place, organisations will need to take into account:

  • the state of the art
  • the cost of implementation
  • the nature, scope, context and purposes of processing; and 
  • the risks of varying likelihood and severity for the rights and freedoms of natural persons posed by the processing. 

In terms of possible mechanisms that could be engaged to reduce risk and demonstrate compliance, organisations could make use of: 

  • pseudonymisation;
  • data minimisation;
  • storage limitation; 
  • access restrictions; 
  • technical solutions (e.g. encryption);
  • organisational measures (e.g. policies, procedures and workflows to comply with GDPR requirements). 

How can we adopt a data protection by design and default approach? 

By embedding data protection considerations into project planning activities and making use of tools including Privacy Impact Assessments (PIAs). The University will issue a PIA Policy, template and associated guidance shortly.  

The ICO has published guidance on the concept of Privacy by Design. Whilst not focused on GDPR compliance, it does provide useful background on the subject. For further information see, https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/.