Getting ready for the GDPR: privacy by design and by default

  • Insight

25 May 2017

With only a year to go until implementation of the EU General Data Protection Regulation (“GDPR”) organisations should now be prioritising review of their data protection practices. As part of this, consideration should be given to ‘data protection by design and by default’ and what this means for your organisation.

Data protection by design and by default

The concept of ‘data protection by design and by default’ is given statutory footing in the GDPR.  In essence, this means that data protection should be considered when deciding what personal data you need and how you are going to process it, including how you are going to collect it, store it, share it and dispose of it. Data protection by design and by default means implementing appropriate technical and organisational measures to safeguard personal data, including limiting access to it, storing it in a pseudonymised format and ensuring data is only used and retained as long as necessary for the purpose for which it was obtained.

With the introduction of GDPR, it is crucial that everyone in an organisation is aware of and understands the importance of data protection. Privacy and data protection should be a core part of project design and planning and not an afterthought relegated to compliance and legal officers. It is important that those designing and developing tools and projects consider data protection in the early planning stages in order to ensure a compliant solution. One demonstrable way of doing this, is carrying out a data protection impact assessment (“DPIA”), which will become mandatory under GDPR for certain types of processing.

Data protection impact assessment

A DPIA assesses the impact of the envisaged processing operation, for example the use of new technology, on the protection of personal data. A DPIA should be undertaken prior to the processing the personal data and then updated throughout the lifecycle of the project. A DPIA should assess the necessity and proportionality of the processing, the risks that the processing poses to the rights of individuals, and what measures have been taken to address these risks and demonstrate compliance with the GDPR.

In a digital world and economy, the flows of data are becoming increasingly complex. Data that might not necessarily be considered personal data can, depending on how it is gathered and stored, reveal a huge amount about our lives. For example, data gathered by smart meters, which track energy as you use it, may through this information, infer details of your home live such as when you leave the house, when you go to sleep and when your appliances are functioning, which in turn may indicate when you cook and watch TV. Therefore, whether your organisation is designing a new product, service or marketing campaign it is of key importance to consider and address data protection and privacy implications early on.

Failure to prepare for and comply with the requirements of GDPR can result in significant reputational and financial consequences for your organisation.

Anderson Strathern’s experts in data protection can provide you with further information, training programmes and advice to help your organisation prepare for the implementation of the GDPR.

For further information on GDPR contact