GDPR The Basic Facts — Privacy by design
This e-book is derived from a full GDPR course I created that has had over 11,000 student enrolments. I thought it would be useful to provide a version on Medium. Data protection law can be complex and an e-book cannot be sure to cover your organisation’s circumstances, so be sure to seek professional advice if you have any doubts when processing personal data.
In this chapter I cover the role concept of Privacy by design.
The GDPR develops the existing obligations on organisations to implement appropriate “organisational and technical measures” to protect personal data. Under the GDPR organisations now have an obligation to consider those measures when designing business processes that handle personal data.
Before processing personal data, organisations must consider how they are able to support the data processing principles, ensuring their design meets the regulation.
“Organisational and technical measures” can mean any steps that an organisation takes to protect personal data or improve compliance with the data processing principles. For example, anonymising data, access controls, firewalls, partitioning access to systems, multiple stage authorisation processes and training could all constitute appropriate organisational and technical measures depending on the processes and the data being handled.
For each new process introduced, organisations must consider the processes characteristics, such as the scope of processing, the sensitivity of the data and the risks to data subjects if things go wrong. Once this is understood, appropriate levels of protection can be determined. The regulation is not prescriptive about the nature of the “organisational and technical measures” that are needed but does require organisations to document their decisions in line with the accountability principle.
Privacy management begins with careful consideration and documentation of an organisation’s plans to process data, or to amend processes for existing data processing. This should cover as a minimum implementation of measures that meet the principles of data protection by design and data protection by default.
This includes measures such as;
· Using Data Protection Impact Assessments to decide on risk levels associated with processing. This enables a business to consider and manage risks in their data processing activities. The ICO has a template available that guides you through the steps of the impact assessment.
· Treating data protection as the starting point for all activities. The concept of “data protection by default” means that an organisation is set up to ensure that only the personal data that is necessary for the processing activity is used by the business. This could include processes that minimise the capture of information, ensure its prompt deletion after it has served its useful purpose or even restricts the availability of data to those specific employees who need access to perform their role. Each of these actions are a form of data minimisation and when built into a system or business process happen by default rather than by specific action.
· Creating and improving processing and security features on an ongoing basis. Maintenance and improvement are an essential part of effective privacy by design. After all, those people looking to breach your security won’t stop trying to develop new ways in.
To summarise, privacy by design requires privacy to be the default setting applied to business processes that use personal data.
Data Privacy Impact Assessments
One way for organisations to meet the requirement for privacy by design and ensure that the accountability principle is met is to follow a “Data Privacy Impact Assessment” process.
This process should be followed whenever a new process is being planned that uses personal data in a way that could present a high risk to individuals’ data. For existing business processes that are already up and running, a privacy impact assessment should be considered when the scale, scope, recipients of the data, the reason for processing or the risk to the data subject is changing. For example, if a payroll process that is using the data of a few hundred people is being expanded to include several thousand peoples’ data then it may be appropriate to conduct a privacy impact assessment.
Even without any change, organisations may want to consider privacy impact assessments on existing processes that have been in place for some time if those processes present a high risk to the management of personal data. Reviewing existing processes may demonstrate a need to modernise processes or technology to close security vulnerabilities that have become apparent since the process was put in place.
Organisations should have a pre-defined privacy impact assessment template that is used each time a business process or systems are implemented or changed. Most EU regulators have pre-prepared templates that can be adopted by organisations.
The privacy impact assessment should consider the business process against the GDPR processing principles, ensuring questions such as data minimisation and data retention processes are considered alongside a general review of what the data processing activities are, what risks the processes present to individuals and how to respond to those risks. Particular attention should be paid to the appropriate organisational and technical measures that could be employed to protect personal data.
If you enjoy reading stories like this and want to support me as a writer, consider signing up to become a Medium member. It’s $5 a month, giving you unlimited access to stories of Medium. If you sign up using my link, I’ll earn a small commission.
Here are the links to the rest of the book.