The General Data Protection Regulation (GDPR) contains a number of new obligations compared to the previous legislation. Since May 25, 2018, organizations have to ensure they comply with these requirements. An important question is: how? After all, a lot has to be done and a project requires an organisation-wide approach with several disciplines involved to become GDPR compliant. Additionally, there needs to be coordination at the administrative level. One of the new requirements is Privacy by Design (PbD, actually: Data Protection by Design). A good PbD approach makes it possible for organisations to deal with almost all aspects of GDPR compliance in a structured and well-organised way.
Privacy by Design means that the protection of privacy, or rather the protection of personal data, is included in the design of products or services. In the GDPR, the requirement is included in Article 25. The description there, however, provides little guidance and remains general. The article speaks about technical and organizational measures according to the state of the art. But how do you make this concrete without getting stuck in abstract principles such as justice and transparency?
A good way to do that is to look at which aspects give some meaning to PbD. In any event, only personal data necessary for the purpose may be processed. So first describe well what you want to process your personal data for. Then it is important to see whether it is really necessary to process personal data. Can the goal also be achieved with anonymous data? In that case, you will not process any personal data. If you really need personal data, there are a number of protective measures to be taken, such as pseudonymisation and encryption. These measures ensure that it is not always immediately clear to everyone who works with the data who they are dealing with. But also that if data is leaked unexpectedly, there will actually be no harm to the persons involved.
Next, it must be ensured that only people who need access to the data can actually access it. So, access control both physically (a closed building or space) and logically (technically with for example a user name and password and on the basis of an authorisation). Also, the data should not be stored for too long. That is determined on the basis of the goal. If you no longer need the data, it must be destroyed or anonymised. Sometimes, however, you do still have an obligation to archive.
Finally, the rights of data subjects (those to whom personal data relate) should apply as far as possible by default. This means that the settings for sharing information as a standard must be as privacy-friendly as possible. So not just share everything with everyone, but not share it, unless the user changes a setting. And further rights must be easy to exercise. In other words, the data subject must have access to his or her data, be able to correct them if necessary and, if necessary, have them deleted.
When PbD is applied correctly, most of the GDPR's requirements are automatically met. All the different aspects will be discussed and a clear overview will be obtained of the working method chosen and why certain choices were made. PbD is therefore the pivot for GDPR compliance and is, as practical approach, a very valuable tool for organizations. Communicating requirements and what that means to higher management will also be simplified.
To translate this into practice, Privacy Company has developed the Privacy by Design Framework. Various parts of the GDPR were analyzed to implement the PbD framework, and it was always indicated what that means for technology, for underlying documentation or procedures in the organisation, and what possible alternatives would be if a certain measure were to frustrate the business processes disproportionately. As a user of the PbD Framework, in a number of simple steps you will get a good idea of the measures you need to take to comply. The Framework also helps to ask the right questions during a development process and to obtain the right interaction between lawyers and technicians.
The Framework is designed to not only assist in complying with Privacy by Design in a specific new product or service, but also to assist in assessing an organization's general measures and procedures. A good risk assessment and a legitimacy check can also be carried out by walking past the various components of existing processes. And it is a proven tool for carrying out a data protection impact assessment, also known as a Privacy Impact Assessment.