The General Data Protection Regulation (GDPR) sets out many detailed rules for how organizations should handle personal data, but it also identifies foundational principles that are just as important. One such principle is that of “data protection by design,” sometimes called “privacy by design.” To sum it up briefly, organizations must take a from-the-ground-up approach to data protection in which they are required to be good stewards of the personal data they collect and process. Data protection by design could even be called the GDPR’s key philosophy.

What the GDPR Says About It

Article 25 of the GDPR—titled “Data Protection by Design and by Default”—is the primary source on the subject. It’s worth taking a moment to read the actual text, but here is the short version.

Controllers must implement technical and organizational measures that are designed to:

1. Implement data-protection principles in an effective manner and integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
2. Ensure that, by default, only personal data which is necessary for each specific purpose of the processing is processed.

The main takeaway is that, in order to meet obligations under the GDPR, data protection must be fully integrated into how organizations operate. In other words, compliance isn’t just an afterthought. While it may sound vague, the principle of data protection by design has real implications for organizations. Here are some of the most important.

Data Minimization

For years, a mantra among businesses has been, “Data is good. Collect as much as you can and put it to use.” This philosophy is fundamentally at odds with the GDPR’s data minimization requirement. Data minimization means that organizations must limit their processing of personal data to what is necessary for each specific purpose of processing. It applies to:

• The amount of personal data collected
• The extent of the processing
• The period of storage
• The data’s accessibility

For example, consider an online retailer that requires customers to submit their email addresses at checkout for the specific purpose of sending them a receipt. The collection of an email address is necessary for that specific purpose; however, if the retailer then uses the email addresses to send out unsolicited promotional emails, the extent of the processing has gone beyond what is necessary for the original purpose. While it may be necessary to retain that data for some amount of time, such as until the return period has expired, storing the email addresses indefinitely would violate the principle of data minimization, as would sharing them with outside parties for any other purpose than providing a receipt.

Data minimization must be the default setting. If an organization wants to use personal data for purposes beyond what was specified, it should first obtain the data subject’s informed consent.

Data Security

Once personal data enters into their care, data controllers have a responsibility to keep that data secure. What measures are appropriate will depend on the nature of the data and the processing. E.g., credit card numbers typically require more care than email addresses. Common data-security measures include:

• Encryption - Wherever practical, data encryption is a good practice for keeping data secure. In the event of a data breach, an organization will likely have to justify why any data was left unencrypted.

• Anonymization - Removing contextual elements so that data can no longer be linked to a specific individual helps protect data subjects and is an alternative to data deletion.
• Access Controls - Access to personal data should be restricted to those employees, contractors, and processors who require access in order to do their jobs. Password protection and permissions-based restrictions are common examples of this.

• Network Security and Maintenance - Organizations should ensure that adequate network security measures (firewalls, virus detection, etc.) are in place and software is kept up to date.

• Data Hygiene - Identifying a retention period for each processing activity and deleting personal data after that lifecycle has expired improves data security by reducing the overall amount of data that is at risk.

Procedures for Responding to Privacy Requests

A major component of GDPR compliance is responding to data subject requests as they come in. There are several types of requests:

• Access requests
• Deletion requests
• Requests to correct inaccuracies
• Object to processing
• Requests to limit processing
• Opt-out of automated decision-making

Responding to any of these data subject requests can be demanding, and they generally must be completed within a one-month time limit. This requires advance planning on the part of controllers, and failure to put procedures in place will not excuse inadequate or late responses.

‍