DPIA’s and privacy by design and default

Under the Data Protection Act 2018 (UK GDPR), the concepts of ‘privacy by design and default’ and ‘data protection impact assessments’ (DPIAs) will be mandatory for businesses which fall within the category of a controller (which will be pretty much all businesses).

What is privacy by design and default?

Privacy by design requires businesses to:

‘Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects’.

What this basically means is that businesses must embed data protection into all their activities, processes, procures, systems etc – from the design phase and then throughout the lifecycle.

Privacy by default requires businesses to:

‘implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons’.

A business must implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of processing are processed. This links back to two of the overarching data protection principles – data minimisation and purpose limitation.

The UK’s Information Commissioner’s Office (ICO) recommends using the following checklist (also available here) to help ensure compliance with the requirement for data protection by design and default:

  • We consider data protection issues as part of the design and implementation of systems, services, products and business practices.
  • We make data protection an essential component of the core functionality of our processing systems and services.
  • We anticipate risks and privacy-invasive events before they occur, and take steps to prevent harm to data subjects.
  • We only process the personal data that we need for our purposes(s), and that we only use the data for those purposes.
  • We ensure that personal data is automatically protected in any IT system, service, product, and/or business practice, so that data subjects should not have to take any specific action to protect their privacy.
  • We provide the identity and contact information of those responsible for data protection both within our organisation and to data subjects.
  • We adopt a ‘plain language’ policy for any public documents so that data subjects easily understand what we are doing with their personal data.
  • We provide data subjects with tools so they can determine how we are using their personal data, and whether our policies are being properly enforced.
  • We offer strong privacy defaults, user-friendly options and controls, and respect user preferences.
  • We only use data processors that provide sufficient guarantees of their technical and organisational measures for data protection by design.
  • When we use other systems, services or products in our processing activities, we make sure that we only use those whose designers and manufacturers take data protection issues into account.
  • We use privacy-enhancing technologies (PETs) to assist us in complying with our data protection by design obligations.

Although the concept of privacy by design and default is straightforward and easy to understand, in practice it could be quite time consuming and costly to implement. However, this obligation needs to be balanced alongside available technologies and implementation costs – there needs to be an element of reasonableness.

What about data processors?

The UK GDPR places the obligation of privacy by design and default firmly on controllers. However, when a business (i.e., a controller) engages a third party to process personal data on their behalf (i.e., a data processor), it has an obligation under the UK GDPR to only use data processors who give:

sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of this Regulation and ensure the protection of the rights of the data subject’.

What are data protection impact assessments, or DPIAs?

DPIA’s are an integral part of privacy by design and default because they will enable you to identify and reduce your privacy risks.  

Whether a controller needs to undertake a DPIA will depend on whether the particular processing operation is likely to result in a high risk to the rights and freedoms of an individual. The UK GDPR specifies instances when DPIAs must be carried out – but these are non-exhaustive), namely processing operations which involve:

  • systematic monitoring of a publicly accessible area on a large scale (e.g. CCTV, drones and body-worn devices);
  • systematic and extensive evaluation of personal aspects relating to individuals which is based on automated processing and on which decisions are based that produce legal effects concerning individuals or similarly significantly affect them (e.g. profiling and other data analysis activities); or
  • processing special categories or criminal offence data on a large scale.

The ICO gives guidance on when else a controller will be required to do a DPIA, including:

  • when you use innovative technology (in combination with any of the criteria from the European guidelines);
  • process genetic data (in combination with any of the criteria from the European guidelines);
  • match data or combine datasets from different sources; or
  • collect personal data from a source other than the individual without providing them with a privacy notice (‘invisible processing’).

If you have a data protection officer (read here), you must consult him/her on the DPIA (as well as other individuals within your organisation, including key stakeholders).

Do we need to consult the ICO on our DPIA?

The added complication with DPIAs is that the controller must consult with the ICO before processing any personal data if the DPIA indicates that its processing operations would, in absence of safeguards, result in a high risk to the rights and freedoms of individuals and the controller can’t mitigate those risks by reasonable means in terms of available technologies and implementation costs.

What are the fines for failure to comply?

The UK GDPR also carries a substantial fine for companies who fail to comply with these obligations – the greater of £8.7m (€10m) or (for undertakings) 2% of total worldwide annual turnover. For more information about fines, please read here.

What does this mean in practice for businesses?

As well as taking a pro-active approach to designing projects, processes, products and systems by promoting privacy and data protection compliance from inception and throughout their lifecycle, businesses should also:

  • identify any new projects which involve data processing and factor in these mandatory requirements (even if processing operations don’t fall within the requirements for a DPIA, businesses should still consider carrying one out);
  • consider if they need to develop or procure any tools to help reduce privacy risk and assist them in applying the necessary controls;
  • review and update project and risk management methodologies and policies – or draft if there are none – which should also integrate DPIAs and ensure that the approach to identifying risks and solutions to avoid or mitigate risks can be clearly documented to enable them to demonstrate compliance with the UK GDPR;
  • look at current resources to see if they have the necessary skills set – and if not, look to recruit or engage external resources;
  • create a map/plan showing the related policies, procedures, tools/resources, training and communications and how they intend to comply with the UK GDPR; and
  • train relevant staff (e.g. design and implementation teams, project managers) to ensure they understand the requirements.

If you would like any further information or advice on these matters, or the UK GDPR generally, please contact us.

Disclaimer: This article is provided for information purposes only and does not constitute legal advice. Professional legal advice should be obtained before taking or refraining from taking any action as a result of the contents of this article.