Toolkit for the EU GDPR – 7) Privacy by Design

published on Mai 15, 2018

Background

This note is part of our series of “Toolkits” on specific key elements of the upcoming EU GDPR (General Data Protection Regulation). If you are an enterprise based in the EU or you hold or process any personal data of any EU citizen you will need to ensure that you are compliant with the GDPR on and following its implementation date of 25 May 2018.

Precisely how the GDPR will be implemented in the UK is currently unclear as the UK legislation is not yet finalised. We nonetheless recommend that a detailed review of data protection policies and procedures are completed ahead of its implementation (and any changes required are implemented ahead of that date too). The GDPR will be implemented in England and Wales through the Data Protection Bill.

The GDPR does not seek to drastically alter the existing UK regime (under Data Protection Act 1998) but it does add important additional proactive requirements for compliance and enhanced data subject rights and protections (as well as creating a more uniform EU-wide regime).

Disclaimer

This document is not a comprehensive explanation of the GDPR or the obligations under it and is not intended to provide advice. If you require any advice please contact us on the contact details provided further below.

What is the GDPR

The GDPR will replace the existing EU Data Protection Directive 1995 (95/46/EC). It seeks to update the data protection legislation in line with modern changes in technology and the way in which personal information is commonly used, processed and shared.

This note is an overview of the key considerations regarding “privacy by design”. It sets out what “Privacy by design” means and provides an outline off how this viewpoint will be adopted by the GDPR.

What is Privacy by Design?

Privacy by Design is a concept that promotes data protection compliance as a forefront of any projects and decisions rather than as an afterthought. It encourages organisations should take a proactive rather than reactive approach to data protection. This approach helps identify any data protection risks and deal with them at the outset which may benefit the data controller as it is likely to be easier and cheaper to rectify any problems at this stage.

The ICO, who is the supervisory authority in the UK, already supports a Privacy by Design approach and states on their website that it:

“…encourages organisations to ensure that privacy and data protection is they key consideration in the early stages of any project and throughout its life cycle.”

Privacy by Design therefore is not a new concept however, the GDPR is obliging data controllers to follow Privacy by Design approach. Therefore, if an organisation is processing personal data, it is essential that they have an understanding of what Privacy by Design is.

Privacy by Design and the GDPR

Under the GDPR rules data controllers are required to integrate “appropriate technical and organisational measures” to safeguard any personal data and ensure that personal data is processed in accordance with the GDPR.

Further, the GDPR provides an obligation on organisations to demonstrate compliance with the GDPR. Therefore these measures should be documented, including by data protection impact assessments (if applicable).

Data Protection Impact Assessments

In event a data controller will be processing personal data in a manner which is likely to result in a high risk to the rights and freedoms of the individual data subject, the GDPR requires data controller to conduct a “data protection impact assessment”.

Article 35 of the GDPR sets out some examples of scenarios where it is likely to be a high risk to the rights and freedoms of the individual data subjects which includes:

extensive automated processing of personal data that produces significant effects for an individual data subject
large scale processing of sensitive personal data;
systematic monitoring of a publically accessible area on a large scale.

The GDPR also allows for the supervisory authority to make a public list of activities which are subject to the re-quirement of a data protection impact assessment and which activities are exempt. Therefore the need for a data impact protection assessment may vary from each jurisdiction.

A data protection impact assessment at a minimum shall include:

a description of the envisaged processing operations and the purposes of and legitimate interest of such processing;
an assessment of the necessity and proportionality of the processing in relation to the above mentioned purpose;
an assessment of the risks to the rights and freedoms of individual data subjects; and
the measures envisaged to address any risks and to protect personal data and comply with the GDPR (with a focus to the rights and legitimate interests of the individual data subjects).

If a data protection impact assessment confirms that processing of the personal data in question is high risk (and that risk cannot be mitigated) than the data controller is required to consult with the relevant supervisory authority.

Whilst data protection impact assessments are only required for certain high risk scenarios the ICO considers it to be good practice to conduct a data protection impact assessment are conducted for any major project which requires the processing of personal data.