The General Data Protection Regulation (GDPR) requires a risk-based approach to data protection.
Data controllers and processors must review and update their systems to ensure they remain robust. These systems must also ensure (1) data protection by design; and, (2) data protection by default.
Data protection by design and default
The concept of data protection by design is perhaps more familiar than that of data protection by default; however, both are new to EU data protection law via the GDPR.
Data protection by design begins prior to processing and incorporates data protection considerations into the planning phase. Data protection by default sustains those considerations into the processing phase, specifically by limiting the collection, processing, storage and accessibility of personal data.
These two items of data protection are typically described as:
Data protection by design: Organisations should build data protection into their products throughout their lifecycles-specifically at the time of planning the means and type of processing and during the processing itself. Necessary safeguards should be integrated into the organisation’s systems. The GDPR specifically highlights data minimisation (Articles 5(1)(c); 25) and pseudonymisation (Articles 4(5); 5(4)(e); 25(1); 32(1)) as privacy enhancing tools. A data protection programme assesses the risks of a product and takes steps to mitigate those risks to meet the data protection by design requirements.
Data protection by default: Where a product or service provides users with multiple setting options, the most data protective settings should be the default. Users should have to opt in to any setting that presents greater risks…not the other way around Amazon! By default, a product or service processes only the personal data that is necessary. Considerations include: purpose of processing, amount of personal data collected, extent of processing, storage period and accessibility (Article 25)
CloudLegal can provide you with further advice if you need it!
Tel: 0800 6894168
What you can do now:
Download our free easy GDPR Awareness Q&A fact sheet form here.
Checkout our DIY Audit, which offers a sensible and affordable DIY audit solution to suit your budget that you can use for your business to:
- understand what you need to do and assess your own preparations for, and levels of, GDPR compliance; and,
- assist with the implementation of your own GDPR Compliance Programme.
The document fully aligns with your key obligations in the GDPR. For more information, click here.