Implementing Data Protection
What does Data Protection by Design and by Default means?
Data Protection by Design and by Default (DPbDD) is the term used by the GDPR that refers to the actions that must be taken to ‘protect’ the processed personal data. Those actions can be summarized as: 1) by default, only process personal data that is strictly necessary, and 2) implement technical and organizational measures to protect the processing of that data, from the start, into the project design and throughout the whole lifecycle of the project. The obligation to implement DPbDD is stated in Art. 25 of the GDPR.
We have summarized the DPbDD requirements below in a way that we hope will facilitate the application of these requirements into the project design of any activity that process personal data.
- Purpose: Identify the purpose of your project and describe why using personal data is necessary to achieve your purpose.
You must be able to show why you need personal data to achieve your project goals. If you want to know people’s opinion on a given subject, you will likely need to conduct surveys or interviews to collect those opinions. In turn, every type of data collected to achieve the overall purpose must itself have a clear and specific purpose. For example, In order to set up an interview, it is necessary to collect the interviewee’s contact information – and that information will only be used for the (clear and specific) purpose of setting up an interview, and will not be used for other unrelated purposes.
You should not use collected data for purposes other than those disclosed to the individual – unless this new proposed process is compatible with the original one (Art 6(4)). But keep in mind that sometimes, previously collected data can be further processed for scientific research purposes (Art 5(1)(b)), but only when such processing activities involve appropriate safeguards (as described in Art 89(1)).
Your data processing must be lawful (Art 5(1)(a)), which means that you must rely on one of the 6 codified reasons why you need to process personal data – the ‘lawful basis’. Consent is the most used lawful basis for research projects, but public task is also used for some types of research projects where it is not possible to ask for consent. Read more about lawful basis here.
- Safe processing: Identify the minimum amount of personal data processing that will still satisfy your purposes, and define a way to process the data that will keep it sufficiently secure and under proper control.
You must be able to show that the way you intend to process personal data is safe and limited to a minimum – both in terms of amount of data and its storage retention.
You start by defining your data subjects (the people behind the data): Who are they? How will you approach them? How many individuals will you contact? Will a potential imbalance of power exist with them? Next, you will define the types of data and the specific purposes each data type will fulfil (for example, you may be collecting contact information only for the purpose of arranging a date/time for an interview). This will demonstrate compliance with the principle of data minimisation (Art 5(1)(c)): that you only collect and process personal data that are adequate, relevant, and limited to what is necessary for the purposes for which they are processed.
You will also need to describe how you will process the data. You need to describe how you are planning to collect, record, organize, structure, store, transmit, disseminate, share, delete and/or anonymise it. The goal is to demonstrate compliance with the accuracy (Art 5(1)(d)), storage limitation (Art 5(1)(e)) and integrity and confidentiality principles (Art 5(1)(f)) – That personal data is checked regularly, is kept up to date, and it is not kept for longer than required to achieve the project purposes (depending on the circumstances and nature of the personal data), and that appropriate security measures that protect data against accidental or deliberate harm, loss, or dissemination of personal data are in place.
- Inform and control: Ensure that the people behind the data (the “data subject”) fully understand your purposes, the way data will be processed, and understand how they can exercise their data protection rights.
Data subjects must understand the full scope of the process. The principle of transparency (Art 5(1)(a)) is all about being clear, open and honest with the people behind the processed personal data, from the start, about who you are, and how and why you use their personal data. When individuals are properly informed, their expectations of the overall process shall match the actual data processing, so they won’t be surprised by the way their personal data is being processed.
The principle of fairness (Art 5(1)(a)) indicates that personal data must be handled in ways that individuals would reasonably expect and must not lead to unjustified adverse effects on them, unduly detrimental, unexpected or misleading. Assessing whether you are processing information fairly depends partly on how you obtain it. If anyone is deceived or misled when the personal data is obtained, then this is unlikely to be fair. Transparency is also instrumental in implementing the principle of fairness, by enabling data subject to make use of their data protection rights – the right to be informed, to be consulted, to intervene and to limit the process of their personal data. Remember that consent is only valid when individuals can make an informed decision about whether to give (or refuse) their consent.
You can read more about how to provide information and implement data subject’s rights in step 5 and 6 of the privacy scan guidance.
- Documenting compliance: Ensure that you can demonstrate your compliance efforts by having sufficient documentation.
The ‘principle’ of accountability (Art 5(2)) specifically sets out that controllers are responsible for and must be able to demonstrate compliance with data protection laws. To simplify the process of documenting GDPR compliance, we have developed the “Privacy Scan” (formerly known as the Privacy Review) at the Geosciences faculty. The Privacy Scan consists of 11 items that describes and reviews how you have implemented DPbDD in your project. Once potential issues have been addressed, the privacy scan documentation will demonstrate your project’s compliance with the GDPR.
Because reviewing your project’s privacy may require changes in your project’s design, it is important to start the privacy scan as early as possible, preferably at the start of the project’s design stage, when it is relatively inexpensive – in economic terms and effort – to incorporate design changes that will achieve privacy compliance.
The privacy scan can also identify when a project, due to the scope and nature of collected data, can potentially carry a “high risk to the rights and freedoms of individuals”. When that is the case, the privacy scan becomes a Data Protection Impact Assessment (DPIA), which will ensure sufficient support is provided to you (by the faculty privacy officer and all other relevant stakeholders, like information security officers, as necessary), with the goal of ensuring any and all potential high risk are properly addressed and resolved.
Privacy scans are also incorporated into the faculty Processing Register, which keeps a record of all personal data processing activities at the faculty – also necessary to demonstrate the faculty compliance with the GDPR (Art. 30).
These DPbDD requirements have been translated into the Privacy Scan. The Privacy Scan is the tool developed at the Geosciences Faculty that facilitates the process of evaluating and documenting a project’s implementation of DPbDD principles.
Because DPbDD principles are not commonly embedded in the project design from the start, the privacy scan will often require changes to the way the project handles personal data. That is why it is critical to start the privacy scan at the same time the project is being designed, when it is relatively easy and straightforward – in both effort and economic terms – to implement required changes in the project design. Keep in mind that projects that do not comply with the GDPR are not suitable for handling personal data.
There are other resources and guidelines available on implementing DPbDD. Among those, we can recommend the book from Jaap-Henk Hoepman: Privacy by Design Strategies (English and Dutch version), and the Guidelines 4/2019 on Article 25 Data Protection by Design and by Default, from The European Data Protection Board (EDPB).