Privacy by design has long been seen as a good practice approach when designing new products, processes and systems that use personal data. Under the heading ‘data protection by design and by default’, the GDPR legally requires you to take this approach.
Data protection by design and default is an integral element of being accountable. It is about embedding data protection into everything you do, throughout all your processing operations. The GDPR suggests measures that may be appropriate such as minimising the data you collect, applying pseudonymisation techniques, and improving security features.
Integrating data protection considerations into your operations helps you to comply with your obligations, while documenting the decisions you take.
Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle.
As expressed by the GDPR, it requires you to:
- put in place appropriate technical and organisational measures designed to implement the data protection principles; and
- integrate safeguards into your processing so that you meet the GDPR’s requirements and protect the individual rights.
In essence this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices.