Data Protection by Design and by Default
Data Protection (Jersey) Law 2018 (DPJL) requires you to put in place appropriate technical and organisational measures to implement the data protection principles and safeguard individual rights. This is ‘data protection by design and by default’.
In essence, this means you have to integrate or ‘bake in’ data protection into your processing activities and business practices, from the design stage right through the lifecycle.
This concept is not new. Previously known as ‘privacy by design’, it has always been part of data protection law. The key change with DPJL is that it is now a legal requirement.
Data protection by design is about considering data protection and privacy issues upfront in everything you do. It can help you ensure that you comply with the DPJL’s fundamental principles and requirements and forms part of the focus on accountability.
In this section
What is data protection by design?
Data protection by design is ultimately an approach that ensures you consider privacy and data protection issues at the design phase of any system, service, product or process and then throughout the lifecycle.
As expressed by the DPJL, it requires you to:
The underlying concepts of data protection by design are not new. Under the name ‘privacy by design’ they have existed for many years. Data protection by design essentially inserts the privacy by design approach into data protection law.
What is data protection by default?
Data protection by default requires you to ensure that you only process the data that is necessary to achieve your specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.
You have to process some personal data to achieve your purpose(s). Data protection by default means you need to specify this data before the processing starts, appropriately inform individuals and only process the data you need for your purpose. It does not require you to adopt a ‘default to off’ solution. What you need to do depends on the circumstances of your processing and the risks posed to individuals.
Nevertheless, you must consider things like:
Who is responsible for complying with data protection by design and by default?
Article 15 specifies that, as the controller, you have responsibility for complying with data protection by design and by default. Depending on your circumstances, you may have different requirements for different areas within your organisation. For example:
This may not apply to all organisations, of course. However, data protection by design is about adopting an organisation-wide approach to data protection, and ‘baking in’ privacy considerations into any processing activity you undertake. It doesn’t apply only if you are the type of organisation that has your own software developers and systems architects.
In considering whether to impose a penalty, the JOIC will take into account the technical and organisational measures you have put in place in respect of data protection by design. Additionally, under DPJL we can issue an Enforcement Notice against you for any failings in respect of Article 15.
What about data processors?
If you use another organisation to process personal data on your behalf, then that organisation is a data processor under the GDPR.
Article 15 does not mention data processors specifically. However, Article 19 specifies the considerations you must take whenever you are selecting a processor. For example, you must only use processors that provide:
This requirement covers both data protection by design in Article 15 as well as your security obligations under Article 21. Your processor cannot necessarily assist you with your data protection by design obligations (unlike with security measures), however you must only use processors that provide sufficient guarantees to meet DPJL’s requirements.
What about other parties?
Data protection by design and by default can also impact organisations other than controllers and processors. Depending on your processing activity, other parties may be involved, even if this is just where you purchase a product or service that you then use in your processing. Examples include manufacturers, product developers, application developers and service providers.
Recital 78 extends the concepts of data protection by design to other organisations, although it does not place a requirement on them to comply – that remains with you as the controller. It says:
‘When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations.’
Therefore, when considering what products and services you need for your processing, you should look to choose those where the designers and developers have taken data protection into account. This can help to ensure that your processing adheres to the data protection by design requirements.
If you are a developer or designer of products, services and applications, the DPJL places no specific obligations on you about how you design and build these products. (You may have specific obligations as a controller in your own right, e.g. for any employee data.) However, you should note that controllers are required to consider data protection by design when selecting services and products for use in their data processing activities – therefore if you design these products with data protection in mind, you may be in a better position.
What are we required to do?
You must put in place appropriate technical and organisational measures designed to implement the data protection principles and safeguard individual rights.
There is no ‘one size fits all’ method to do this, and no one set of measures that you should put in place. It depends on your circumstances.
The key is that you consider data protection issues from the start of any processing activity, and adopt appropriate policies and measures that meet the requirements of data protection by design and by default.
Some examples of how you can do this include:
This is not an exhaustive list. Complying with data protection by design and by default may require you to do much more than the above.
When should we do this?
You should begin data protection by design at the initial phase of any system, service, product, or process. You should start by considering your intended processing activities, the risks that these may pose to individuals, and the possible measures available to ensure that you comply with the data protection principles and protect individual rights. These considerations must cover:
This is similar to the information risk assessment you should do when considering your security measures.
These considerations lead into the second step, where you put in place actual technical and organisational measures to implement the data protection principles and integrate safeguards into your processing.
This is why there is no single solution or process that applies to every organisation or every processing activity, although there are a number of commonalities that may apply to your specific circumstances as described below.
The DPJL requires you to take these actions:
What are the underlying concepts of data protection by design and by default?
The underlying concepts are essentially expressed in the seven ‘foundational principles’ of privacy by design, as developed by the Information and Privacy Commissioner of Ontario.
Although privacy by design is not necessarily equivalent to data protection by design, these foundational principles can nevertheless underpin any approach you take.
‘Proactive not reactive; preventative not remedial’
You should take a proactive approach to data protection and anticipate privacy issues and risks before they happen, instead of waiting until after the fact. This doesn’t just apply in the context of systems design – it involves developing a culture of ‘privacy awareness’ across your organisation.
‘Privacy as the default setting’
You should design any system, service, product, and/or business practice to protect personal data automatically. With privacy built into the system, the individual does not have to take any steps to protect their data – their privacy remains intact without them having to do anything.
‘Privacy embedded into design’
Embed data protection into the design of any systems, services, products and business practices. You should ensure data protection forms part of the core functions of any system or service – essentially, it becomes integral to these systems and services.
‘Full functionality – positive sum, not zero sum’
Also referred to as ‘win-win’, this principle is essentially about avoiding trade-offs, such the belief that in any system or service it is only possible to have privacy or security, not privacy and security. Instead, you should look to incorporate all legitimate objectives whilst ensuring you comply with your obligations.
‘End-to-end security – full lifecycle protection’
Put in place strong security measures from the beginning, and extend this security throughout the ‘data lifecycle’ – ie process the data securely and then destroy it securely when you no longer need it.
‘Visibility and transparency – keep it open’
Ensure that whatever business practice or technology you use operates according to its premises and objectives, and is independently verifiable. It is also about ensuring visibility and transparency to individuals, such as making sure they know what data you process and for what purpose(s) you process it.
‘Respect for user privacy – keep it user-centric’
Keep the interest of individuals paramount in the design and implementation of any system or service, eg by offering strong privacy defaults, providing individuals with controls, and ensuring appropriate notice is given.
How do we do this in practice?
One means of putting these concepts into practice is to develop a set of practical, actionable guidelines that you can use in your organisation, framed by your assessment of the risks posed and the measures available to you. You could base these upon the seven foundational principles.
However, how you go about doing this depends on your circumstances – who you are, what you are doing, the resources you have available, and the nature of the data you process. You may not need to have a set of documents and organisational controls in place, although in some situations you will be required to have certain documents available concerning your processing.
The key is to take an organisational approach that achieves certain outcomes, such as ensuring that:
Many of these relate to other obligations in the DPJL, such as transparency requirements, documentation, Data Protection Officers and DPIAs. This shows the broad nature of data protection by design and how it applies to all aspects of your processing.
Our guidance on these topics will help you when you consider the measures you need to put in place for data protection by design and by default