The concept of data protection by design and default has long been promoted by the Information Commissioner's Office as best practice. The General Data Protection Regulation makes that best practice a mandatory obligation.
Essentially, organisations will need to ensure privacy issues are fully explored and addressed during project planning and process/system design stages and that appropriate technical and organisational measures are put in place to ensure that:
1. processing activities are GDPR compliant;
2. the rights and interests of data subjects are protected.
Article 25 (a) of the Regulation states:
The controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
We are awaiting further guidance from the Information Commissioner's Office but the following examples provide an indication of the types of project likely to be covered:
What technical and organisational measures will need to be taken?
When determining what measures to put in place, organisations will need to take into account:
In terms of possible mechanisms that could be engaged to reduce risk and demonstrate compliance, organisations could make use of:
How can we adopt a data protection by design and default approach?
By embedding data protection considerations into project planning activities and making use of tools including Privacy Impact Assessments (PIAs). The University will issue a PIA Policy, template and associated guidance shortly.
The ICO has published guidance on the concept of Privacy by Design. Whilst not focused on GDPR compliance, it does provide useful background on the subject. For further information see, https://ico.org.uk/for-organisations/guide-to-data-protection/privacy-by-design/.