Data Protection by Design and by Default

Data Protection by Design and by Default

Data Protection by design and by default are principles defined in article 25 of the General Data Protection Regulation (GDPR). 

Data protection by design requires the controller to take technical and organisational measures to implement the data protection principles effectively and to integrate adequate safeguards to protect the rights and freedoms of data subjects. 

Data protection by default requires that, by default, appropriate technical and organisational measures be implemented to ensure that only personal data that are necessary for each purpose of the processing are processed. 

The Privacy Principles

The Privacy Principles

Under the EU general data protection regulation (GDPR), any data processing activities must be compliant with six privacy principles, which are the cornerstone of the european privacy regulation and  most international privacy laws.

The privacy principles are set out in article 5 GDPR and are as follows :

Lawfulness, fairness and transparency
Purpose limitation
Data minimisation
Accuracy
Storage limitation
Security
Accountability

Controller or Processor?

Controller or Processor?

Under the General Data Protection Regulation (GDPR), any person (including organisations) handling personal data is subject to a different level of obligations and responsibilities with regard to the personal data processing operations they carry out depending on whether they are acting as a processor, a controller or a joint controller.

Indeed, all their GDPR obligations and responsibilities stem from their role and may, as a result, differ greatly. In broad words, controllers bear most responsibilities while  processors must only act under the instructions of the controller and therefore, bear much less responsibility on its shoulders.

Personal Data Breach Notification

Personal Data Breach Notification

Under the General Data Protection Regulation (GDPR), controllers mustnotify:

the competent authority of any personal data breach likely to result in a risk to the right and freedoms of the data subjects;

the individuals concerned of any personal data breach likely to result in a high risk to their rights and freedoms.

It is therefore important for a controller to understand what a personal data breach is and to be ready to react promptly and appropriately when it happens.

Record of Processing Activities

Record of Processing Activities

Under the European General Data Protection Regulation (GDPR), organisations processing personal data must maintain a record of their processing activities (ROPA) unless an exemption applies.

However, the type of information to maintain in this record differs depending on whether the organisations act as a controller or as a processor with regard to a specific processing activity.

Besides, some of the processing activities recorded may also be subject to a data protection impact assessment (DPIA), which requires additional information (see here).