The General Data Protection Regulation (GDPR) for the first time addresses data protection by design as a legal obligation for data controllers and processors, making an explicit reference to data minimisation and the possible use of pseudonymisation. It also introduces the obligation of data protection by default, going a step further into stipulating the protection of personal data as a default property of systems and services.
Data protection by design and data protection by default represent the European interpretation of the concept of Privacy by Design primarily elaborated by the Ontario Privacy Commissioner at the end of the 1990s. This approach, which is based on seven core and founding principles, encourages controllers and processors to include data protection measures from the start of the process, at the design stage of their products and services. Since 2009, this approach has been strongly supported by the European authorities and was integrated into the reform of the European Data Protection Framework in 2012.
With the inception of the GDPR, taking the data protection by design approach is an essential tool in minimising privacy risks and building trust as well as being compliant with the GDPR itself. Going forward, organisations need to approach all their project management and risk management methodologies and practices from the point of view of data protection by design and by default. This will entail integrating core privacy considerations coupled with independent and robust Privacy Impact Assessments (PIAs).
PIAs are of fundamental importance under the GDPR. They are an integral part in taking a data-by-design approach and making sure that all internal processes and eventual privacy codes are also compliant to the concept of data protection by design.
New standards could also be embracing Data Protection by Design processes and we could see more harmonisation on this front. During the plenary meeting of CEN-CENELEC JWG 8 ‘Privacy management in products and services’ which took place in Paris on March 5th 2015, the Standardization bodies jointly accepted the standard request on ‘Privacy management in the design and development and in the production and service provision processes of security technologies’. The request aims at the implementation of Privacy-by-design principles for security technologies and/or services lifecycle. The new standardization deliverables are intended to define and share best practices, balancing security, transparency and privacy concerns for security technologies, manufacturers and service providers in Europe as well as embracing the intent behind the GDPR.
For more information or if you have any questions, please feel free to contact us on igauci@gtgadvocates.com
Disclaimer: This article is not intended to impart advice and readers are asked to seek verification of statements made before acting on them.