By Employment and Privacy Law Partner, Carl Atkinson
During our countdown we have outlined the initial steps businesses can take to establish a secure foundation for their GDPR compliance programme. All businesses are different, and consequently a ‘one size fits all’ approach towards GDPR compliance based upon a generic GDPR solution / toolkit is unlikely to be successful.
We initially advised that the first step almost all organisations should take in preparing for GDPR is to understand what personal data is held by the business. Then where it is stored or used (‘processed’) and why that processing is necessary. We then considered the impact of GDPR on consent and suggested restrictions on the way consent can be obtained. This included along with the data subject’s new right to unilaterally withdraw consent at any time could make consent far less attractive as a basis for processing.
In this third blog, we will examine some of the new concepts which will be introduced by the GDPR and we will consider whether there are steps which businesses can take now to embed these new concepts in their organisations before the GDPR implementation date on the 25th May.
Privacy By Design
Although not a new concept, privacy by design is an approach which will become more familiar to many businesses following the implementation of the GDPR. Under the GDPR there will be an obligation for businesses to implement technical and organisational measures to demonstrate that they have considered and integrated data protection / privacy into their processing activities, and it is clear from statements which have been made by the ICO that privacy by design is viewed as a key component of this approach.
Privacy by design is an approach which promotes data protection compliance from the genesis of any new project, product or policy. The ICO view this as an essential tool in minimising privacy risks, and businesses would be well advised to embrace this approach as soon as possible to ensure it becomes well understood and embedded in their organisation as a priority.
For many businesses the adoption of privacy by design may be straightforward as it may be that privacy of personal data has always been a key consideration. All that will be required is to document the consideration which is given to privacy at all stages of the development of a project.
For other businesses however the introduction of the approach may be more challenging and it may be sensible to arrange for data protection considerations become a standing item for consideration at all project team meetings on new projects.
Key principles of the privacy by design approach are:
- Proactive rather than reactive toward the anticipation and prevention of actions which may be invasive to personal privacy;
- Privacy as a default setting should mean that it will not be necessary for an individual data subject to take any action to protect their privacy;
- Privacy is embedded into the design of IT systems and business practices and is not added at a later stage;
- End-to-end security of personal data should be paramount for all new projects and should be retained and carried through the project to the end of the process.
Privacy Impact Assessments
Privacy Impact Assessments (PIA) are a key tool for any business to demonstrate the adoption of a privacy by design. It can be used to identify and manage the privacy risks which are be associated with new projects, and will therefore be useful evidence of the adoption of a privacy by design approach in the event of any attention from the Information Commissioner.
Our recommendation is that businesses should begin to integrate privacy by design and the use of privacy impact assessments into their ways of working immediately so that these tools will have become established by May. The starting point should be the adoption of PIA processes as part of the standard project and risk management policies to drive awareness of these issues throughout your organisation.
If you require assistance with the implementation of privacy by design or privacy impact assessments within your organisation, please do not hesitate to get in touch. We will be able to support your work in adopting these key concepts prior to the implementation of GDPR in May.
DD: +44 (0) 77846 966 573