One of the changes due to be implemented under the new General Data Protection Regulation ("GDPR") is the explicit recognition of the concepts of 'privacy by design' and 'privacy by default'. Businesses will now find themselves subject to a specific obligation to consider data privacy at the initial design stages of a project as well as throughout the lifecycle of the relevant data processing.
What does the law require today?
The current EU Data Protection Directive (the "Directive") has no concept of 'privacy by design' or 'privacy by default', nor is there an explicit obligation that states that privacy should be a paramount consideration at the design stage of any project. However, the Directive imposes an obligation on the data controller to implement appropriate technical and organisational measures to protect personal data against unlawful processing. By imposing a specific 'privacy by design' requirement, the GDPR expands the requirement to implement appropriate technical and organisational measures to ensure that privacy and the protection of data is no longer an after-thought.
Since we first saw the draft of the GDPR in 2012, 'privacy by design' has been the subject of discussions by many regulators in order to ensure that the concept achieves the desired effectiveness. For example, the UK's ICO has already issued guidance on 'privacy by design' and encourages organisations to ensure that privacy and data protection is a key consideration in the early stages of any project, and then throughout its lifecycle.
What will the General Data Protection Regulation require?
While the concept of 'privacy by design' already exists, it has now been given specific recognition, and is linked to enforcement. Under the proposed 'privacy by design' requirement, companies will need to design compliant policies, procedures and systems at the outset of any product or process development.
When implementing appropriate technical and organisation measures in this context, regard should be given to the state of the art and the cost of implementation. In the near agreed unofficial final drafts of the GDPR (referenced by our colleagues Phil Lee and Hazel Grant here), it looks as if the risk-based approach favoured by the Council has won the day. In deciding what measures are appropriate, businesses may also take account of the nature, scope, context and purposes of the processing as well as the risks of varying likelihood and severity for the rights and freedoms of individuals. This approach will mean that businesses will have greater flexibility to determine how compliance looks in practice.
In making such determination, businesses may need to consider matters such as whether a system which processes the personal data of customers/employees would, for example:
- allow personal data to be collated with ease in order to comply with subject access requests;
- allow suppression of data of customers who have objected to receiving direct marketing; or
- allow the data controller to satisfy the data portability requirements of the GDPR.
Data controllers should also consider whether the relevant personal data can be pseudonymised – the latest unofficial draft of the GDPR makes specific reference to pseudonymisation as one example of a measure that is designed to integrate the necessary safeguards into the processing of personal data.
The GDPR also introduces a specific 'privacy by default' obligation. 'Privacy by default' requires that controllers implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing are processed. According to the latest unofficial draft of the GDPR, the effect of this requirement is that data controllers should minimise the amount of the data collected, the extent of their processing, the period of their storage and their accessibility. The bottom line is that, by default, businesses should only process personal data to the extent necessary for their intended purposes and should not store it for longer than is necessary for these purposes. In particular, the data controller should ensure that, by default, personal data are not made available without the individual's intervention to an indefinite number of people.
While the current Directive contains requirements in relation to ensuring that excessive personal data is not processed/retaining it only for as long as is necessary, the GDPR contains an explicit obligation to implement appropriate technical and organisational measures designed to meet these requirements.
What are the practical implications?
The explicit mention in the GDPR of the requirements of 'privacy by design' and 'privacy by default' will mean that businesses must implement internal processes and procedures to address these requirements. Some practical steps that may be advisable include:
- implementing a privacy impact assessment template that the business can populate each time it designs, procures or implements a new system;
- revising standard contracts with data processors to set out how risk/liability will be apportioned between the parties in relation to the implementation of 'privacy by design' and 'privacy by default' requirements;
- revisiting data collection forms/web-pages to ensure that excessive data is not collected;
- having automated deletion processes for particular personal data, implementing technical measures to ensure that personal data is flagged for deletion after a particular period etc.