GDPR Compliance: Data Protection by Design and by Default May 25, 2017
Data privacy cannot be an afterthought.
When it comes to complying with the General Data Protection Regulation (GDPR), there is no end to the advice and proposals. Certainly, there are many steps that companies must adopt to avoid penalties. But as large an undertaking as GDPR compliance may be, it is all undergirded by the idea expressed in Article 25: data protection by design and by default.
Implementing data protection by design means going beyond technological solutions. Security procedures regarding data handling should be under consideration from day one. Often, this means conducting a Privacy Impact Assessment in order to ensure possible issues have been identified and proactively neutralized. In terms of actual process implementation, it entails utilizing best practices in data minimization, pseudonymization, and process documentation. This last item is particularly important. Clearly documenting proper data handling—and monitoring the data to ensure proper handling—is just as important as effective data minimization.
Implementing data protection by default is a somewhat less expansive, but still vital, notion in the GDPR. It means that taking data protection measures must be the rule, not the exception. These measures must be taken, by default, to ensure that only personal data necessary for each specific business purpose is processed—and that duty applies to the amount of data collected, the extent of its processing, its period of storage, and its accessibility. In practice, this means that companies must have a well-defined data lifecycle that ends with the destruction of said data. It also means that additional information and consent must be actively requested from the data subject.
To ready your company for GDPR and remain in compliance as your data processing needs evolve, data protection must be consistently baked into every part of the organization and the organization’s processes. Data privacy can no longer be an afterthought—or the responsibility of a single individual. A proactive team defense is the best defense against GDPR compliance violations.
The one-year countdown begins today! As always, we recommend consulting your legal or compliance teams, but we encourage you to learn more about how Dataguise can accelerate your journey to GDPR compliance. Contact us today to get started.