Data protection by design

Data protection by design (also known as “Privacy by design”) as a concept has been around for a long time, and was considered best practice under the DPA. However, the GDPR makes this an explicit requirement.


What is Data protection by design?

Data protection by design is the practice of considering and “baking in” data protection measures from the outset of any project (for instance, when acquiring a new IT system which will hold or access personal data, developing new policies, or using or sharing data in new ways). Privacy should be a key consideration at the earliest stage, rather than an after-thought.


Data protection by design is closely linked with the requirement for Record keeping and accountability which also requires certain documentation and policies to be maintained by organisations.


What does it include?

Data protection by design is a general concept, but the GDPR includes some specific obligations (not all of which will be applicable for organisations):

  • Information Security should be considered at all stages, and must be appropriate to the risk involved. Note that this extends beyond technical and physical measures (such as encryption or building security) to organisational measures such as training staff in security and awareness.
  • Data sharing and in particular international data transfers, must be subject to careful consideration to ensure that it is lawful.
  • Data Protection Impact Assessments, which are required when a data processing activity is likely to result in a “high risk” to the rights and freedoms of data subjects.
  • Data Protection Officers (DPO) may need to be appointed by some organisations. However, even if a formal DPO is not required, it may still be useful to informally appoint an individual within your business who is responsible for data protection compliance. To avoid confusion (and having to comply with the specific requirements of the GDPR around DPOs) we would recommend using another term, such as Data Compliance Officer (DCO).
  • Privacy policies / Information Notices which help ensure transparency by requiring data controllers to provide certain information to individuals.