GDPR data protection by design and by default is not an additional layer of data security but rather a test of the company’s commitment to protect personal data not just from third parties but also from its own commercial interests, management and employees.
GDPR privacy by design and by default provision builds on the idea that tech solutions and their organisational implementation need to be developed from scratch with privacy in mind. Its multiple components give us an idea what this means in practice.
The risk for rights and freedoms: GDPR data protection by design and by default obligation is not about prescribing a specific set of activities but rather about conducting a risk assessment exercise. The data controller needs to look at what might go wrong and implement measures to tackle such privacy risks. For example, as default, marketing department should not be able to access any information in personalised form for which marketing consent had not been obtained – in order to prevent excessive invasion on customer privacy.
State of the art technical and organisational measures: GDPR data protection by design and by default presumes that technology not only threatens privacy but also helps protect it. It expressly mentions pseudonymisation i.e. safe separate processing of data under pseudonyms. Furthermore, different access privileges for different departments can be set for accessing cloud services in line with the data minimisation principle.
The cost: GDPR data protection by design and by default takes into account proportionality in terms of the costs of implementation in relation to the privacy risks. Measuring intangible benefits of privacy and comparing them to costs may involve complex techniques such as contingent valuation. Simpler and cheaper solutions may be equally valid though, and a privacy professional can help you find the best approach considering your company’s specific situation.