Data protection by design and default

What does it mean for startups?

One of the best ways to help prevent getting into tangles with data protection law compliance later down the track is to integrate privacy measures into your organisation and its practices from the start. Not only will it help you comply with data protection best practice, but the law also requires that you do it.

The legal obligation to put measures in place comes from Article 25 of the UK GDPR (the UK’s main data protection law), which requires that companies have ‘appropriate measures to implement the data protection principles, and safeguard data’. These measures should be put in place when the means of the processing are determined (in other words, when a company is in its development stage) and at the time of the processing itself.

The law divides approaches to privacy measures into two concepts: data protection by ‘design’ and data protection by ‘default’.

Data protection by design

Data protection by design means implementing measures such as data minimisation (i.e., only collecting and using data that you actually need), and ‘pseudonymisation’ (i.e., scrambling information about a person so that you can’t immediately tell who it relates to as a means of safeguarding their privacy). To give a basic example, if a company is rolling out training to its staff on a new IT system and you’re designing a way to monitor who has completed that training, you would accomplish data protection by design by designing the monitoring system in a way that does not collect data relating to ethnic origin, which is not something that is relevant in order for you to monitor completion of the training.

Data protection by default

Data protection by default is more about concepts such as (by default) only collecting the minimum data you need to fulfil the purpose, not keeping data any longer than you need to, and limiting who the data is made available to. In the same example above relating to monitoring the completion of training on a new IT system; a company would be more likely to achieve data protection by default by ensuring information about who completed the training is only made available to those who need to see it, such as the company’s HR or IT teams.

While this example gives an overview of what the law asks of a company in terms of both data protection by design and data protection by default, how about considering something a little riskier?

Working through a riskier example

Let’s say that your company has designed a new smartphone app aimed at customers to advertise its new products, share newsletters, and provide a forum to allow customers to interact with each other. On signing up to the app, customers have to provide some data; their name, gender, date of birth, location, and occupation. You’ve set it up so that customer data is public by default (anyone can view customer profiles on the forum) and can easily be found on search engines.

You may have picked up that this is an example of poor data protection by design and default! But why?

On data protection by design, there is no need to process gender, location and occupation as the purpose of the app can be achieved without that information. Date of birth is useful, because it can help keep children off the app (as it’s not aimed at them), but why not simply collect year of birth instead? The company could also consider other ‘age-gating’ systems, for example, some apps in the gambling sector, where this is more relevant, would likely use facial age verification. You can also get bonus points by asking customers not to use their real names as their username on the forum, a very basic example of pseudonymisation!

On data protection by default, there is no need for the data to be publicly facing and customers should be able to control what data other people can see.

You can see that many of these issues are best dealt with at the design stage rather than after the app’s design and roll-out. Privacy by design and default is best achieved if you can manage to have your entire team on the same page when it comes to the privacy principles. 

In case you don’t yet have processes for data protection, here is a quick checklist of things to ask yourself, to help you achieve data protection by design and data protection by default: