Our Digital Account Manager Igor Černiševski contributes to Netokracija’s GDPR series.
One of the changes that need to be implemented in line with the GDPR is the use of the terms “privacy by design” and “privacy by default.” Companies will face a special requirement to take into consideration the privacy of data in initial project stages, as well as throughout the data processing cycle.
What does the law provide?
The present EU Data Protection Directive makes no reference to the terms “privacy by design” or “privacy by default,” nor does it impose an explicit requirement defining privacy as high-priority in the planning stage of any project. However, the GDPR requires the data processor to implement appropriate technical and organizational measures to protect personal data against unlawful processing. By introducing the specific requirement of mandatory “privacy by design,” the GDPR defines the obligation to implement appropriate measures to ensure that privacy and data protection are no longer addressed subsequently, after the project has been completed, but instead already at the design stage.
Since the GDPR was first introduced in 2012, “privacy by design” has been a subject of debate. The primary objective was to make sure that the concept achieves the desired effectiveness. For example, ICO has already published recommendations on “privacy by design” in the UK, encouraging companies to incorporate data protection and privacy into planning in the early stages of any project, and then also throughout project lifecycle.
What does the law require?
Although the term “privacy by design” already exists, it now draws special focus and has a direct link to the GDPR. According to the proposed “privacy by design” requirements, companies will have to create harmonized policies, procedures, and systems as soon as they start developing any product or process.
Implementing appropriate measures must take into account the necessary resources in terms of method and implementation costs. The GDPR applies a risk-based approach. When deciding what measures are appropriate, companies can take into account the nature, scope, context, and purpose of data processing, as well as the severity of risk to individuals’ rights and freedoms. This approach means that companies will have greater flexibility in terms of applying compliance on this issue in practice.
When making this decision, companies should consider certain specifics when it comes to CRM or employee database maintained by the HR department, for example:
- Enabling storage of personal data that meets the access requirements;
- Allowing removal of data of customers who file a complaint about receiving direct marketing; or
- Enabling the data processor to meet the data transferability requirements provided by the GDPR.
Processors also need to consider the possibility of pseudonymising personal data.
The GDPR also introduces the specific requirement of “privacy by default.” This means that processors must take appropriate measures to ensure that the only personal data being processed are those that are required for each individual specific processing purpose. According to the GDPR, processors must minimize the amount of data collected, the extent of their processing, the time period of their storage, and their availability. In short, companies must process personal data only to the extent and in the scope necessary for the purpose of processing and must not keep them longer than it is required for this purpose. In particular, the data processor must ensure that, by default, personal data are not available to anyone, except if the data controller requests so.
Although the present directive contains requirements to ensure that excessive personal data are not processed and that they are retained only while necessary, the GDPR stipulates an explicit requirement to implement appropriate technical and organizational measures to meet these requirements.
What are the effects in practice?
The terms “privacy by design” and “privacy by default” are explicitly referenced in the GDPR, which means that companies have an obligation to implement internal procedures and actions to ensure the application of these requirements. Some of these steps can include:
- Creating a privacy impact study that the company can carry out whenever it designs, procures, or implements a new system;
- Revising standard contracts with data processors to determine how the risk—or the responsibility to meet these requirements—will be shared between partners;
- Harmonizing forms for collecting data on websites to prevent collecting any excessive data;
- Implementing automated deletion procedures for certain personal data, implementing technical measures to ensure that personal data are earmarked for deletion after a certain time period, etc.