The must-anticipated General Data Protection Regulation will finally take effect next spring, and according to most recent studies, only a minority of organizations are prepared for the new rules.

One part of the GDPR that organizations should take not of now is Article 25, which requires the use of appropriate technical and organizational measures that protect the security and privacy of personal data on European citizens.

This process, known as “data protection by design” requires that at all stages of the development, implementation, and operation of a product, the responsible entity ensures that the collection, use, storage, transmission or deletion of personal data is conducted in accordance with the GDPR, including, for example, data minimization, limited retention or appropriate data security.

Fotolia

Article 25 also requires that controllers ensure that, by default, only the personal data that is necessary for a specific purpose are processed. These two elements are the foundation of the design of a GDPR compliant product.

Data Protection by Design

Data Protection by Design starts with evaluating the purposes and functionality of the proposed product, the categories of data that might be collected, and the intended uses, sharing, retention, or disposal of the data. Only a clear and detailed flowchart identifying the different components of the design, the categories of data collected, the categories of recipient of the data, and the intended use of the data, will allow understanding the potential effect of that design on the privacy rights of the end-users and other affected parties.

The flowchart should be analyzed to determine whether, and the extent to which, the proposed activities meet the GDPR data protection principles.

For example, is all data that is proposed to be collected acquired “fairly and legally”? Are there any legal justifications that allow the collection of the data? Or should there be a technical process in place to allow the end-user to consent to the use of the data? How should that consent be obtained to ensure adequate user experience? Is the amount of data collected appropriate for the proper operation of the product? Or should the amount or nature of the data collected be reduced or modified to ensure that only the information that is strictly necessary is collected?

From the earliest stage of conception and development, sound security measures should be identified and encoded in the software or other technology used in the product or as part of the service. Adequate security must be present in the entire life cycle. For example, access to data should be guarded with appropriate authentication measures, and modification of existing data should be allowed only to specified individuals.

Disposal of data, when the product or service is dismissed or terminated, should be planned and programmed accordingly, and incorporated within the coding, so that all data stored in the associated databases, memory, or other storage devices is properly and securely deleted.

The duration of data retention should be limited both as part of the original design and subsequent updates to that design, to ensure that data is kept for the minimum amount of time necessary, thereby avoiding the retention of unnecessary data and reducing the risk of theft or loss. Attention to the detail, variety, and flexibility of security measures from the early stages of development is especially important in view of the substantial risk of a breach of security.

Data Protection by Default

The design should also incorporate the proper analysis and processes for ensuring “data protection by default,” as required by GDPR Article 25(2). “Data protection by default” requires that the initial settings be set, so that, by default, the highest levels of privacy, security, and data protection are provided to the end user. This would include, for example, limiting the amount of information that is automatically collected.

The design should ensure that personal data is not inadvertently made accessible to an unlimited number of persons by default. Instead, the initial product settings should prohibit disclosure, sharing or access and should require the prior intervention of the concerned individual before the data can be disseminated or disclosed to others.

Integration with Existing Structures

The review of the different aspects of the flowchart should take into account the existing privacy policy of the company to ensure that the proposed collection, storage, processing or sharing is in line with the company’s existing privacy and data protection values. If there are discrepancies, the product or these documents and policies would have to be updated accordingly.

Methodology

To ensure that all important aspects are covered, the review could be organized using the same methodology as that which is used to conduct data protection impact assessments. This will help determine the extent to which the proposed processing is likely to pose risks to the privacy of individuals or the security of their personal information. In the end, the analysis described above should result in the creation of a list of requirements, restrictions or conditions to be followed in the design and development of the product and throughout the entire period during which the product is put in use.

Conclusion

Data protection by design and by default principles provide important guidance for the development and operation of a product or service. They translate into practical application the general principles that are found in most data protection laws, and in the fair information practices principles, as well. They help guide the creation of a solid base that helps balance the legitimate interest or right of individuals in protecting the privacy and security of their personal information and the business and other objectives of companies collecting and processing the data.

Register or login for access to this item and much more

All Information Management content is archived after seven days.

Community members receive:
  • All recent and archived articles
  • Conference offers and updates
  • A full menu of enewsletter options
  • Web seminars, white papers, ebooks

Don't have an account? Register for Free Unlimited Access

Françoise Gilbert

Françoise Gilbert

Françoise Gilbert is a global privacy and cybersecurity attorney with Greenberg Traurig in Silicon Valley.