On the 25th of May 2018, the new General Data Protection Regulation (“GDPR”) will become applicable law in all European member states, which will have profound impact on all businesses with a part of their business model being digital.
One of the unprecedented news in the GDPR is the general obligation of businesses that controls personal data (“Data Controllers”) to implement data protection principles not only in the course of their operations, but also during the development of new products, services, business functions, etc.
Data protection by design starts when the Data Controller determines how the processing of personal data will be performed, in other words who will do it and how. By taking into account the likelihood and severity of the risks with processing the personal data, and the cost and effort involved in mitigating the risks, the Data Controller shall implement appropriate technical and organisational measures (such as for instance restricted internal physical and digital access to the personal data).
As with many other of the obligations under the GDPR, the Data Controller is responsible for documenting this work.
Data protection by default means that the default settings for the product or service ensures that only personal data which are necessary for each specific purpose are processed. A typical example of when this is not achieved is when users can input free text, and then proceed to tell their life stories, when the Data Controller has no interest in or use for this information at all – the data controller will then be responsible for protecting this potentially very sensitive information with adequate technical and organisational measures.
Adhering to data protection by design and default is as much in the data controller’s own business interest as it is in their interest to be compliant with the GDPR, as data protection by design and default can save the data controller much time, effort, and expenses in later stages of the data processing lifecycle.