The General Data Protection Regulation (GDPR) sets out many detailed rules for how organizations should handle personal data, but it also identifies foundational principles that are just as important. One such principle is that of “data protection by design,” sometimes called “privacy by design.” To sum it up briefly, organizations must take a from-the-ground-up approach to data protection in which they are required to be good stewards of the personal data they collect and process. Data protection by design could even be called the GDPR’s key philosophy.
Article 25 of the GDPR—titled “Data Protection by Design and by Default”—is the primary source on the subject. It’s worth taking a moment to read the actual text, but here is the short version.
Controllers must implement technical and organizational measures that are designed to:
The main takeaway is that, in order to meet obligations under the GDPR, data protection must be fully integrated into how organizations operate. In other words, compliance isn’t just an afterthought. While it may sound vague, the principle of data protection by design has real implications for organizations. Here are some of the most important.
For years, a mantra among businesses has been, “Data is good. Collect as much as you can and put it to use.” This philosophy is fundamentally at odds with the GDPR’s data minimization requirement. Data minimization means that organizations must limit their processing of personal data to what is necessary for each specific purpose of processing. It applies to:
For example, consider an online retailer that requires customers to submit their email addresses at checkout for the specific purpose of sending them a receipt. The collection of an email address is necessary for that specific purpose; however, if the retailer then uses the email addresses to send out unsolicited promotional emails, the extent of the processing has gone beyond what is necessary for the original purpose. While it may be necessary to retain that data for some amount of time, such as until the return period has expired, storing the email addresses indefinitely would violate the principle of data minimization, as would sharing them with outside parties for any other purpose than providing a receipt.
Data minimization must be the default setting. If an organization wants to use personal data for purposes beyond what was specified, it should first obtain the data subject’s informed consent.
Once personal data enters into their care, data controllers have a responsibility to keep that data secure. What measures are appropriate will depend on the nature of the data and the processing. E.g., credit card numbers typically require more care than email addresses. Common data-security measures include:
A major component of GDPR compliance is responding to data subject requests as they come in. There are several types of requests:
Responding to any of these data subject requests can be demanding, and they generally must be completed within a one-month time limit. This requires advance planning on the part of controllers, and failure to put procedures in place will not excuse inadequate or late responses.
As the principle of data protection by design makes clear, GDPR compliance is not just cosmetic. It requires careful planning and deliberate action. For small and medium-sized organizations that lack data privacy expertise, this can prove a challenge.
Designed specifically for these types of organizations, TrueVault Polaris is a software solution that provides detailed, step-by-step guidance for achieving GDPR compliance. It also gives organizations the tools they need to stay compliant, such as privacy-request workflows and automated updates. Contact our team to learn more or schedule a demo.
Disclaimer: This content is provided for general informational purposes only and does not constitute legal or other professional advice. Without limiting the foregoing, the content may not reflect recent developments in the law, may not be complete, and may not be accurate or relevant in an applicable jurisdiction. This content is not a substitute for obtaining legal advice from a qualified licensed attorney in the applicable jurisdiction. The content is general in nature and may not pertain to specific circumstances, so it should not be used to act or refrain from acting based on it without first obtaining advice from professional counsel qualified in the applicable subject matter and jurisdictions.
Our attorney-designed software will step-by-step guide you through the compliance process from start to finish.
Request a Demo201 Mission Street, 12th Floor
San Francisco, CA 94105
Email: hello@truevault.com
2024 © All Rights Reserved. Privacy Policy | Terms of Use | Supplemental Terms | California Privacy Notice