Data Protection by Design

Dr. Ágnes Tompa LL.M, Senior Attorney Head of Corporate / M&A Department, Noerr & Partners Law Office

“Design is not just what it looks like and feels like. Design is how it works.” Steve Jobs 

The European Parliament and European Council adopted the General Data Protection Regulation (GDPR) last year, which will come into effect in May 2018. The GDPR will replace the current European legislation, the Data Protection Directive (1995).

The current Directive has no equivalent to the concept of privacy by design. Privacy by design or data protection by design is the notion that the means and purposes of personal data processing are designed, from the beginning, with data protection in mind.

The present system of various national laws transposing the Directive resulted in a fragmented regulatory system for data controllers operating in the European Union. What often happened was that a multinational company operating in different countries in the EU had to use several versions of its data protection policies in order to comply with the national laws. It meant different documentation requirements, different software and different methods of storing, deleting or forwarding data for each and every country within the same company. With the GDPR, a more standardized data protection law will come into force across the EU.

The GDPR addresses the principle of data protection by design as a legal obligation for data controllers and processors for the first time, making an explicit reference to data minimization and the possible use of pseudonymization. Data minimization means that personal data must be adequate, relevant and limited to that which is necessary in relation to the purposes for which it is processed. Pseudonymization refers to the technique of processing personal data in such a way that it can no longer be attributed to a specific data subject without the use of additional information, which must be kept separately and be subject to technical and organizational measures to ensure non-attribution.

This principle – together with the principle of data protection by default – encourages controllers and processors to include data protection measures from the start of the process, at the design stage of their products and services. The principle requires organizations to implement both technical and organizational measures that will guarantee and protect the privacy of individuals. This involves organizations examining the amount and extent of personal data collected and processed, and affording consideration to how long such information is kept and how accessible it is. Under this provision, a data subject should be protected by the strictest privacy settings while still allowing for the data subject to receive or use the product or service. Even more, organizations need to approach all their project management and risk management methodologies and practices from the point of view of data protection by design. This will entail integrating core privacy considerations coupled with independent and robust Privacy Impact Assessments (PIAs).

PIAs are of fundamental importance under the GDPR. They are an integral part of taking a data-by-design approach and making sure that all internal processes and eventual privacy codes are also compliant with the concept of data protection by design. Besides data minimization and pseudonymization, other methods can be staff training programs, audit and policy reviews, or implementation of new procedures.

When implementing the principle, Article 25 of the GDPR suggests considering the following:

the state of the art (available technology);

the cost of implementation;

the nature, scope, context and purpose of the data processing; and

the risks to natural persons and their severity.

As the measures to be taken are subject to the data processing activities of the relevant organization, before implementation, reviewing the above factors is unavoidable.

In summary, organizations should consider the data protection implications of a given processing activity at an early stage, rather than merely at the time of collection or processing.

Given the provisions of the GDPR, the obligations and responsibility on organizations in the area of data protection are only set to increase.