GDPR Privacy by Design & Default

Should Privacy by Design be mandatory?

Privacy by design and default (PBDD) may prove to be far more useful in the world of privacy and data protection than it is considered now. Under article 25 of the GDPR a controller is required to implement PBDD by appropriate technical and organisational measures – but is that enough?

Controllers are expected to consider data protection issues as part of the design and implementation of systems, IT, services, products and business practices. To integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle. To anticipate risks and privacy-invasive events before they occur.

Until there is a specific rule or tightening of regulation, organisations choose whether to actively take risk measures via PIA’s (Privacy Impact Assessments) and / or use privacy-enhancing technologies (PETs) organisations may not be protecting personal data sufficiently. Which means a lack of action could result in personal data being put at risk.

A 10 million euro (or 2% of global revenue) fine may be made if it is found that personal data was not protected; when a significant new service, policy or implementation affecting personal data was introduced, giving no real excuse for not introducing PBDD. Deslyon believes PBDD should be mandatory when it is clear personal data is at risk through an organisation making changes, potentially causing the organisation to be GDPR non-compliant and potentially in breach of the regulation.

It is understood that the UK ICO & EDPB (European Data Protection Board) is considering certificating PBDD (identifying certification criteria under articles 42 & 43 and EDPB approved certification mechanism draft guidelines). Until certification is in place that improves this situation for Privacy by design and default, Deslyon recommends all organisations processing personal data implement PBDD when making significant changes which includes personal data.

Organisations should ensure that personal data is automatically protected, specifically when major changes are made such as (say) replacing a HR system or developing new systems which include personal data. Where an organisation has a DPO (Data Protection Officer) it is likely they will ensure PBDD is carried out, where no DPO is employed, the security officer, GDPR specialist or similar representative will always benefit from practicing privacy by design and default.

Article by Phil Lyon, COO of Deslyon.
Phil Lyon, MBA, CISMP, ISO27001 Lead Auditor, GDPR Practitioner.
Contact info@deslyon.com to discuss how we can help your business.

Share this post on: