Data protection by design and default – the GDPR and ICO guidance

Data protection by design and default (DPDD) is not an entirely new concept. Adopting a 'privacy by design' approach has been recommended by data protection regulators for years. Under the GDPR, however, data protection by design and default is now a legal requirement.

Article 25 GDPR

The provisions around DPDD are found in Article 25 GDPR.

Data protection by design (Article 25(1))

The controller needs to implement appropriate technical and organisational methods (eg pseudonymisation) which are designed to implement the data protection principles (like data minimisation) and integrate the necessary safeguards into the processing in order to meet GDPR requirements and protect data subject rights.

This must be done both at time of determination of the means of processing and throughout the processing operation.

Controllers should take into account the state of the art, the cost of implementation, the nature, scope, context and purpose of processing, and the risks of varying likelihood and severity for the rights and freedoms of the data subjects.

Data protection by default (Article 25(2))

The controller must implement appropriate technical and organisational measures to ensure that by default, only personal data necessary for each specific processing purpose is processed. This applies to:

• the amount of data collected
• the extent of the processing
• the period of storage
• accessibility.

In particular, the measures need to ensure that by default, the data is not made accessible to an indefinite number of people without the intervention of the data subject.

Certification

The GDPR envisages that adhering to an approved certification mechanism may be a way to demonstrate compliance with DPDD but, to date, no such certification has been approved.

Recital 78

For a concept so fundamental to GDPR compliance, there is relatively little detail provided in the body of the legislation. There is a little more information in Recital 78. Recitals inform application of the GDPR but do not have legal force.

Pseudonymisation is explicitly mentioned in Article 25 as a potentially appropriate DPDD measure, but Recital 78 also suggests the following:

• Minimising the processing of personal data.
• Transparency with regard to the functions and processing of the data.
• Enabling the data subject to monitor the processing.
• Enabling the controller to create and improve security features.

Recital 78 also says that:

• DPDD should be considered in the context of public tenders, and
• producers of products, services and applications which are based on the processing of personal data or which process personal data, should be encouraged to take into account the right to data protection when they develop, design, select and use them, and with due regard to the state of the art, ensure that controllers and processors are able to fulfil their data protection obligations.

ICO guidance

That's all the information you get from the GDPR about one of its fundamental principles. In almost every piece of guidance regulators put out, they talk about the importance of DPDD but what does it really involve? The ICO has published guidance on the principle in its GDPR guidance and is planning further guidance on the subject. It has also published its Age Appropriate Design Code of Practice (see our article to learn more) which has cross-over where it applies.

The ICO says that DPDD essentially means you have to integrate or "bake in" data protection into your processing activities and business practices from the design stage right through the lifecycle, as a legal requirement. As with much of the GDPR, this involves taking a risk-based approach and considering each processing operation on a case by case basis.

Design does not just refer to the design of systems, products and services, it also refers to organisational policies and processes, and business practices which have privacy implications.

The ICO also stresses that data protection by default does not mean that you must adopt a 'default to off' solution (although in some cases this is a requirement under the Age Appropriate Design Code). What it actually involves is ensuring you only process personal data necessary to achieve your specific purposes, so it is linked to the principles of data minimisation and purpose limitation. While exact steps vary depending on the circumstances, the ICO says the following must be considered:

• Adopting a 'privacy-first' approach with any default settings.
• Ensuring real choice is given to individuals about the processing.
• Not processing additional data until the individuals say you can.
• Providing individuals with sufficient controls and options to enable them to exercise their rights.

Who is responsible?

The data controller has responsibility for implementing DPDD but within an organisation there may be a number of different areas involved, for example, senior management, systems development, and the DPO.

While data processors do not have explicit DPDD obligations, the controller is required to select a processor which provides sufficient guarantees to meet GDPR requirements and this covers DPDD. Where third parties are involved, there is no legal requirement on the controller to ensure they comply with DPDD (although they may have to do so in their own right), but Recital 78 suggests it should be taken into account.

How do you comply?

The ICO says there is no 'one size fits all' approach. Issues to consider include those mentioned in Recital 78 and they need to be taken into account at the initial phase of any system, service, product or process. The intended processing activities have to be reviewed in the context of risks posed to individuals and the methods available to protect them and to comply with GDPR, taking into account the state of the art, cost, the type of processing and the risks involved. This must be done at the design phase of any processing activity and throughout the lifecycle of the processing.

The ICO points to the underlying concepts of the GDPR expressed in the seven 'foundational principles' of privacy by design as developed by the Information and Privacy Commissioner of Ontario as a useful (if not comprehensive) anchor to the approach you should take. Note that these should be used as guidelines rather than requirements:

• Proactive not reactive; preventative not remedial – speaks for itself.
• Privacy as the default setting – privacy should be built into the system so that the individual's privacy remains intact without them having to do anything.
• Privacy embedded into design – privacy should be integral to the design of any systems, services, products and business practices.
• Full functionality; positive sum, not zero sum – avoid trade offs between privacy and security and incorporate all legitimate objectives while ensuring compliance.
• End-to-end security; full life cycle protection – implement strong security from the outset and extend throughout the lifecycle, then destroy the data securely when it is no longer needed.
• Visibility and transparency; keep it open – make sure individuals know what data you process and why.
• Respect for user privacy; keep it 'user-centric' – the interests of the individuals should be paramount.

The ICO suggests developing a set of practical actionable guidelines to use in your organisation, framed by your assessment of the risks posed and mitigating measures available to you. The key is to take an organisational approach that achieves the desired outcomes.

As the ICO stresses, many steps needed to ensure DPDD relate to other GDPR obligations – for example transparency requirements and security obligations – so it really runs through the GDPR compliance process. It also links to one of the key accountability tools, the DPIA. The ICO says DPIAs are integral to DPDD. While they are not always required (unlike DPDD), it is good practice to carry them out as they will help assess risk and mitigation which in turn helps with implementing and demonstrating DPDD.

How do we know whether we are getting it right?

As with much of GDPR compliance, the way you implement the requirements is left up to you. This gives organisations flexibility within the framework. The ICO guidance contains a basic checklist and you can also see our checklist on the Global Data Hub. EDPB guidance and other EU regulator views are also relevant. However you choose to implement DPDD, the overriding thing to remember is that you need to embed data protection into everything you do involving personal data.