The General Data Protection Regulation (GDPR) requires a risk-based approach to data protection.

Data controllers and processors must review and update their systems to ensure they remain robust. These systems must also ensure (1) data protection by design; and, (2) data protection by default.

Data protection by design and default

The concept of data protection by design is perhaps more familiar than that of data protection by default; however, both are new to EU data protection law via the GDPR.

Data protection by design begins prior to processing and incorporates data protection considerations into the planning phase. Data protection by default sustains those considerations into the processing phase, specifically by limiting the collection, processing, storage and accessibility of personal data.

These two items of data protection are typically described as:

Data protection by design: Organisations should build data protection into their products throughout their lifecycles-specifically at the time of planning the means and type of processing and during the processing itself. Necessary safeguards should be integrated into the organisation’s systems. The GDPR specifically highlights data minimisation (Articles 5(1)(c); 25) and pseudonymisation (Articles 4(5); 5(4)(e); 25(1); 32(1)) as privacy enhancing tools. A data protection programme assesses the risks of a product and takes steps to mitigate those risks to meet the data protection by design requirements.

Data protection by default: Where a product or service provides users with multiple setting options, the most data protective settings should be the default. Users should have to opt in to any setting that presents greater risks…not the other way around Amazon! By default, a product or service processes only the personal data that is necessary. Considerations include: purpose of processing, amount of personal data collected, extent of processing, storage period and accessibility (Article 25)

Let us know if we can help you!

Author: Yvonne Morris

Email: yvonne@cloudlegalsupport.com

website: www.cloudlegalsupport.com

twitter: @CloudLegals

FB: fb.com/cloudlegalsupport

CloudLegal is a tech-enabled legal support consultancy which promises practical commercial and jargon-free advice. We support all company matters, commercial contracts/ Ts & Cs (including software and IT), employment & HR as well as data protection matters. We have various services including: