The General Data Protection Regulation (GDPR) sets out many detailed rules for how organizations should handle personal data, but it also identifies foundational principles that are just as important. One such principle is that of “data protection by design,” sometimes called “privacy by design.” To sum it up briefly, organizations must take a from-the-ground-up approach to data protection in which they are required to be good stewards of the personal data they collect and process. Data protection by design could even be called the GDPR’s key philosophy.
Article 25 of the GDPR—titled “Data Protection by Design and by Default”—is the primary source on the subject. It’s worth taking a moment to read the actual text, but here is the short version.
Controllers must implement technical and organizational measures that are designed to:
The main takeaway is that, in order to meet obligations under the GDPR, data protection must be fully integrated into how organizations operate. In other words, compliance isn’t just an afterthought. While it may sound vague, the principle of data protection by design has real implications for organizations. Here are some of the most important.
For years, a mantra among businesses has been, “Data is good. Collect as much as you can and put it to use.” This philosophy is fundamentally at odds with the GDPR’s data minimization requirement. Data minimization means that organizations must limit their processing of personal data to what is necessary for each specific purpose of processing. It applies to:
For example, consider an online retailer that requires customers to submit their email addresses at checkout for the specific purpose of sending them a receipt. The collection of an email address is necessary for that specific purpose; however, if the retailer then uses the email addresses to send out unsolicited promotional emails, the extent of the processing has gone beyond what is necessary for the original purpose. While it may be necessary to retain that data for some amount of time, such as until the return period has expired, storing the email addresses indefinitely would violate the principle of data minimization, as would sharing them with outside parties for any other purpose than providing a receipt.
Data minimization must be the default setting. If an organization wants to use personal data for purposes beyond what was specified, it should first obtain the data subject’s informed consent.
Once personal data enters into their care, data controllers have a responsibility to keep that data secure. What measures are appropriate will depend on the nature of the data and the processing. E.g., credit card numbers typically require more care than email addresses. Common data-security measures include:
A major component of GDPR compliance is responding to data subject requests as they come in. There are several types of requests:
Responding to any of these data subject requests can be demanding, and they generally must be completed within a one-month time limit. This requires advance planning on the part of controllers, and failure to put procedures in place will not excuse inadequate or late responses.
As the principle of data protection by design makes clear, GDPR compliance is not just cosmetic. It requires careful planning and deliberate action. For small and medium-sized organizations that lack data privacy expertise, this can prove a challenge.
Designed specifically for these types of organizations, TrueVault Polaris is a software solution that provides detailed, step-by-step guidance for achieving GDPR compliance. It also gives organizations the tools they need to stay compliant, such as privacy-request workflows and automated updates. Contact our team to learn more or schedule a demo.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal advice. This content is not a substitute for obtaining legal advice from a licensed attorney. The information on this page may be changed without notice and is not guaranteed to be complete, correct or up-to-date, and may not reflect the most current legal developments.