- Article 25 of the GDPR requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.
- In effect, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle (ICO guide)
Data protection by design is effectively an approach that ensures you take privacy and data protection issues into consideration at the design phase of any system, service, product or process and then throughout the lifecycle.
Amongst others, this includes technology projects, app builds, developing new services, products and processes that involve processing personal data;
The law expects you to consider things like:
- adopting a ‘privacy-first’ approach with any default settings of systems and applications;
- making sure you do not provide a misleading choice to individuals in relation to the data you intend to process;
- not processing additional data unless the individual decides you can;
- ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
- providing individuals with sufficient controls and options to exercise their rights.
What are we required to do?
Article 25 says that you must put in place appropriate technical and organisational measures designed to implement the data protection principles and protect individual rights.
There is no ‘one size fits all’ method to do this, and no one set of measures that you should put in place. It depends on your circumstances.
The key is that you consider data protection issues from the beginning of any processing activity.
When should we do this?
The GDPR requires you to consider “data privacy by design and by default”:
- ‘at the time of the determination of the means of the processing’ – i.e., when you are at the design phase of any processing activity; and
- ‘at the time of the processing itself’ – i.e during the lifecycle of your processing activity.