What is Data Protection by Design and By Default

Data Protection by Design and by Default


Data Protection (Jersey) Law 2018 (DPJL) requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.


In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.


This concept is not new. Previously known as ‘privacy by design’, it has always been part of data protection law. The key change with DPJL is that it is now a legal requirement.


Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the DPJL’s fundamental principles and requirements and forms part of the focus on accountability.


In this section

  • What is data protection by design?
  • What is data protection by default?
  • Who is responsible for complying with data protection by design and by default?
  • What about data processors?
  • What about other parties?
  • What are we required to do?
  • When should we do this?
  • ‘Proactive not reactive; preventative not remedial’
  • How do we do this in practice?

 

What is data protection by design?


Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle.


As expressed by the DPJL, it requires you to:

  • put in place appropriate technical and organisational measures designed to implement the data protection principles; and
  • integrate safeguards into your processing so that you meet the DPJL 's requirements and protect the individual rights.
  • In essence this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices.
  • Data protection by design has broad application. Examples include:
  • developing new IT systems, services, products and processes that involve processing personal data;
  • developing organisational policies, processes, business practices and/or strategies that have privacy implications;
  • physical design;
  • embarking on data sharing initiatives; or
  • using personal data for new purposes.

The underlying concepts of data protection by design are not new. Under the name ‘privacy by design’ they have existed for many years. Data protection by design essentially inserts the privacy by design approach into data protection law.


What is data protection by default?


Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.


You have to process some personal data to achieve your purpose(s). Data protection by default means you need to specify this data before the processing starts, appropriately inform individuals and only process the data you need for your purpose. It does not require you to adopt a ‘default to off’ solution. What you need to do depends on the circumstances of your processing and the risks posed to individuals.


Nevertheless, you must consider things like:

  • adopting a ‘privacy-first’ approach with any default settings of systems and applications;
  • ensuring you do not provide an illusory choice to individuals relating to the data you will process;
  • not processing additional data unless the individual decides you can;
  • ensuring that personal data is not automatically made publicly available to others unless the individual decides to make it so; and
  • providing individuals with sufficient controls and options to exercise their rights.


Who is responsible for complying with data protection by design and by default?


Article 15 specifies that, as the controller, you have responsibility for complying with data protection by design and by default. Depending on your circumstances, you may have different requirements for different areas within your organisation. For example:

  • your senior management, e.g. developing a culture of ‘privacy awareness’ and ensuring you develop policies and procedures with data protection in mind;
  • your software engineers, system architects and application developers, e.g. those who design systems, products and services should take account of data protection requirements and assist you in complying with your obligations; and
  • your business practices, e.g. you should ensure that you embed data protection by design in all your internal processes and procedures.


This may not apply to all organisations, of course. However, data protection by design is about adopting an organisation-wide approach to data protection, and ‘baking in’ privacy considerations into any processing activity you undertake. It doesn’t apply only if you are the type of organisation that has your own software developers and systems architects.

In considering whether to impose a penalty, the JOIC will take into account the technical and organisational measures you have put in place in respect of data protection by design. Additionally, under DPJL we can issue an Enforcement Notice against you for any failings in respect of Article 15.


What about data processors?


If you use another organisation to process personal data on your behalf, then that organisation is a data processor under the GDPR.


Article 15 does not mention data processors specifically. However, Article 19 specifies the considerations you must take whenever you are selecting a processor. For example, you must only use processors that provide:

  • ‘sufficient guarantees to implement appropriate technical and organisational measures in such a manner that the processing will meet the requirements of the DPJL and ensure the protection of the rights of the data subject’


This requirement covers both data protection by design in Article 15 as well as your security obligations under Article 21. Your processor cannot necessarily assist you with your data protection by design obligations (unlike with security measures), however you must only use processors that provide sufficient guarantees to meet DPJL’s requirements.


What about other parties?


Data protection by design and by default can also impact organisations other than controllers and processors. Depending on your processing activity, other parties may be involved, even if this is just where you purchase a product or service that you then use in your processing. Examples include manufacturers, product developers, application developers and service providers.


Recital 78 extends the concepts of data protection by design to other organisations, although it does not place a requirement on them to comply – that remains with you as the controller. It says:

‘When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.’

Therefore, when considering what products and services you need for your processing, you should look to choose those where the designers and developers have taken data protection into account. This can help to ensure that your processing adheres to the data protection by design requirements.


If you are a developer or designer of products, services and applications, the DPJL places no specific obligations on you about how you design and build these products. (You may have specific obligations as a controller in your own right, e.g. for any employee data.) However, you should note that controllers are required to consider data protection by design when selecting services and products for use in their data processing activities – therefore if you design these products with data protection in mind, you may be in a better position.


What are we required to do?


You must put in place appropriate technical and organisational measures designed to implement the data protection principles and safeguard individual rights.


There is no ‘one size fits all’ method to do this, and no one set of measures that you should put in place. It depends on your circumstances.


The key is that you consider data protection issues from the start of any processing activity, and adopt appropriate policies and measures that meet the requirements of data protection by design and by default.


Some examples of how you can do this include:

  • minimising the processing of personal data;
  • pseudonymising personal data as soon as possible;
  • ensuring transparency in respect of the functions and processing of personal data;
  • enabling individuals to monitor the processing; and
  • creating (and improving) security features.


This is not an exhaustive list. Complying with data protection by design and by default may require you to do much more than the above.

When should we do this?

You should begin data protection by design at the initial phase of any system, service, product, or process. You should start by considering your intended processing activities, the risks that these may pose to individuals, and the possible measures available to ensure that you comply with the data protection principles and protect individual rights. These considerations must cover:

  • the state of the art and costs of implementation of any measures;
  • the nature, scope, context and purposes of your processing; and
  • the risks that your processing poses to the rights and freedoms of individuals.


This is similar to the information risk assessment you should do when considering your security measures.


These considerations lead into the second step, where you put in place actual technical and organisational measures to implement the data protection principles and integrate safeguards into your processing.


This is why there is no single solution or process that applies to every organisation or every processing activity, although there are a number of commonalities that may apply to your specific circumstances as described below.


The DPJL requires you to take these actions:

  • ‘at the time of the determination of the means of the processing’ – in other words, when you are at the design phase of any processing activity; and
  • ‘at the time of the processing itself’ – ie during the lifecycle of your processing activity.


What are the underlying concepts of data protection by design and by default?


The underlying concepts are essentially expressed in the seven ‘foundational principles’ of privacy by design, as developed by the Information and Privacy Commissioner of Ontario.


Although privacy by design is not necessarily equivalent to data protection by design, these foundational principles can nevertheless underpin any approach you take.


‘Proactive not reactive; preventative not remedial’


You should take a proactive approach to data protection and anticipate privacy issues and risks before they happen, instead of waiting until after the fact. This doesn’t just apply in the context of systems design – it involves developing a culture of ‘privacy awareness’ across your organisation.


‘Privacy as the default setting’


You should design any system, service, product, and/or business practice to protect personal data automatically. With privacy built into the system, the individual does not have to take any steps to protect their data – their privacy remains intact without them having to do anything.


‘Privacy embedded into design’


Embed data protection into the design of any systems, services, products and business practices. You should ensure data protection forms part of the core functions of any system or service – essentially, it becomes integral to these systems and services.


‘Full functionality – positive sum, not zero sum’


Also referred to as ‘win-win’, this principle is essentially about avoiding trade-offs, such the belief that in any system or service it is only possible to have privacy or security, not privacy and security. Instead, you should look to incorporate all legitimate objectives whilst ensuring you comply with your obligations.


‘End-to-end security – full lifecycle protection’


Put in place strong security measures from the beginning, and extend this security throughout the ‘data lifecycle’ – ie process the data securely and then destroy it securely when you no longer need it.


‘Visibility and transparency – keep it open’


Ensure that whatever business practice or technology you use operates according to its premises and objectives, and is independently verifiable. It is also about ensuring visibility and transparency to individuals, such as making sure they know what data you process and for what purpose(s) you process it.


‘Respect for user privacy – keep it user-centric’


Keep the interest of individuals paramount in the design and implementation of any system or service, eg by offering strong privacy defaults, providing individuals with controls, and ensuring appropriate notice is given.


How do we do this in practice?


One means of putting these concepts into practice is to develop a set of practical, actionable guidelines that you can use in your organisation, framed by your assessment of the risks posed and the measures available to you. You could base these upon the seven foundational principles.


However, how you go about doing this depends on your circumstances – who you are, what you are doing, the resources you have available, and the nature of the data you process. You may not need to have a set of documents and organisational controls in place, although in some situations you will be required to have certain documents available concerning your processing.


The key is to take an organisational approach that achieves certain outcomes, such as ensuring that:

  • you consider data protection issues as part of the design and implementation of systems, services, products and business practices;
  • you make data protection an essential component of the core functionality of your processing systems and services;
  • you only process the personal data that you need in relation to your purposes(s), and that you only use the data for those purposes;
  • personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy;
  • the identity and contact information of those responsible for data protection are available both within your organisation and to individuals;
  • you adopt a ‘plain language’ policy for any public documents so that individuals easily understand what you are doing with their personal data
  • you provide individuals with tools so they can determine how you are using their personal data, and whether you are properly enforcing your policies; and
  • you offer offering strong privacy defaults, user-friendly options and controls, and respect user preferences.


Many of these relate to other obligations in the DPJL, such as transparency requirements, documentation, Data Protection Officers and DPIAs. This shows the broad nature of data protection by design and how it applies to all aspects of your processing.


Our guidance on these topics will help you when you consider the measures you need to put in place for data protection by design and by default

Last updated:
10 June 2019

Further Reading

JOIC Blogs
DATA PROTECTION (JERSEY) LAW 2018
Appropriate technical and organisational measures

Related Topics

Search

JERSEY OFFICE OF THE INFORMATION COMMISSIONER

2nd Floor
5 Castle Street
St. Helier
Jersey
JE2 3BT

enquiries@jerseyoic.org+44 (0) 1534 716530
for organisations
Overview for Organisations
Manage Registration
Report a Breach
Do I need to Register for Data Protection?
Resources for Organisations
GDPR and the Relationship with Local Data Protection
Registration & Charges FAQs
Small Organisation Self-Assessment
for individuals
Overview for Individuals
Information for Young People
Raise a Concern
Make a Freedom of Information Appeal
Resources for Individuals
Requesting Your Personal Information
How can we help you?
About
Resource Room
News
Events
Careers
Contact
Stay in Touch
DP & FOI Laws
Service Complaint Policy
Data Protection Statement © Jersey Office of the Information Commissioner 2024 v7.0.0000