GDPR: privacy by design costs nothing

The GDPR, which I’m sure you have heard about by now, comes into force by 25 May 2018. We have written a series of articles regarding the most important matters you should be considering prior to implementation of the regulation which are available on our website.

One of the overarching principles of the GDPR is that organisations implement appropriate technical and organisational measures designed to implement data protection principles. In other words, organisations should implement certain safeguards to ensure compliance with the GDPR from the outset, rather than implementing such measures after a breach. This is known as “privacy by design”.

What are appropriate technical and organisational measures?

The implementation of “privacy by design” within your organisation doesn’t always need to cost significant sums of money – there are many cost-effective (and even zero cost) methods of organisations collecting and storing personal data in certain ways which will greatly reduce the likelihood of an organisation breaching the GDPR. For example:

Pseudonymisation
Pseudonymisation is a new concept introduced by the GDPR, which essentially refers to manipulating data collected in a way so that it can no longer be attributed to a living individual. For example, an online shoe business may wish to collect data about users’ shoe sizes. If the business collects this data and separates it from the names/email address/other identifiers to which it relates, the data will no longer be considered to be “personal data”, as it cannot be used to identify a living individual, but retains its utility.

Implementing this concept where organisations will reduce the amount of data held which is subject to the GDPR, and therefore reduce the likelihood of breaches occurring.

Data minimisation
The concept of data minimisation is arguably linked with the concept of pseudonymisation. Data minimisation refers to what it says on the tin – organisations should minimise the amount of personal data they collect in order to pursue their interests. There is no point in holding personal data about individuals where that data offers no, or limited, use to the business.

Organisations should also think about minimising the length of time that personal data is stored for. Under the GDPR personal data should only be stored for the length of time that it is necessary to do so, unless one of the GDPR exceptions applies. As such, it seems sensible for organisations to delete (or in the very least, anonymise) personal data which is no longer needed by the organisation.

Privacy Impact Assessments (PIAs)
PIAs document the impact on an individual’s privacy as a result of the processing of an organisation. PIAs will consider the processing activity to take place, the personal data to be processed, the likely risk of such processing, as well as the steps organisations can take to reduce the inherent risks of such processing. This will help organisations to increase awareness of data protection internally, as well as demonstrate clear internal record keeping relating to such processing activities (which will benefit an organisation audited by the regulator for GDPR compliance).

Briffa are able to advise further on all concepts and requirements relating to data protection and the forthcoming GDPR. Don’t hesitate to contact Tom Broster (Tom@Briffa.com) or Eamon Chawke (Eamon@Briffa.com) if you wish to discuss these matters further.