How to implement Data Protection by Design
Following my colleague Phil Donn’s popular article on Privacy By Design (Part 1), I’m delving into the detail of what to consider when you are developing new applications, products and service and the how to approach the assessment process.
Good privacy requires collaboration
As a reminder, Data Protection By Design requires organisations to embed data protection into the design of any new processing, such as an app, product or service, right from the start.
This implies the DPO or Privacy team need to work with any project team leading the development, from the outset. In practice, this means your teams need to highlight any plans at the earliest stages.
A crucial part of a data protection or privacy role is encouraging the wider business to approach you for your input into changes which have implications for privacy.
Building strong relationships with your Project and Development teams, as well as with your CISO or Information Security team, will really help you make a step change to embed data protection into the culture as well as the processes of the organisation.
What are the key privacy considerations for Data Protection by Design?
Here are some useful pointers when assessing data protection for new apps, services and products.
- Purpose of processing – be very clear about the purpose(s) you are processing personal data for. Make sure these purposes are both lawful and carried out fairly. This is especially important where any special category data or other sensitive data may be used.
- End-to-end security – how will data be secured both in transit (in and out of the app, service or product) and when it’s at rest?
- Access controls – check access to data will be restricted only to those who need it for specific business purposes. And make sure the level of access (e.g. view, use, edit, and so on) is appropriate for each user group.
- Minimisation – collect and use the minimum amounts of personal data required to achieve the desired outcomes.
- Default settings – aim to agree proactive not reactive measures to protect the privacy of individuals.
- Data sharing – will personal data be shared with any third parties? If so, what will the lawful basis be for sharing this data?
- Transparency – have we notified individuals of this new processing? (Remember, this may include employees as well as customers). If we’re using AI, can we explain the logic behind any decisions which may affect individuals? Have we told people their data will be shared?
- Information rights – make sure processes are in place to handle information rights. For example, can data be accessed to respond to Subject Access Requests? Can data be erased or rectified?
- Storage limitation –appropriate data retention periods should be set and adhered to. These need to take into account any laws which may apply. To find out more see our Data Retention Guidance.
- Monitoring – what monitoring will or needs to take place at each stage to ensure data is protected?
The assessment process
If there’s likely to be high risk to individuals, you should carry out a Data Protection Impact Assessment. This should include an assessment covering the requirements above.
Many organisations use a set of screening questions to confirm if a DPIA is likely to be required and I would recommend this approach.
In most cases it will also be appropriate for the Project team to consult with their CISO or Information Security Team. It’s likely a Security Impact Assessment (SIA) will also need to be carried out.
In fact, adopting a joint set of screening questions which indicate if there’s a need for a security assessment and/or a DP assessment is even better!
Embrace the development lifecycle
The typical stages involved when developing a new app, product or service are:
Planning > Design > Development > Testing > Early life evaluation > Production
Sometimes these stages merge together, it’s not always clear where one ends and another starts, or they may run in parallel.
This can make the timing of a data protection assessment tricky, particularly if your business uses an Agile development methodology, where the application design, development and testing happen rapidly in bi-weekly ‘sprints’.
I find when Agile is used the answers to certain data protection questions are not necessarily available early on. Key decisions affecting the design may be deferred until later stages of the project. The final outcomes of the processing can be a moving feast.
I always take the data protection assessment process for new developments step by step. Engaging with the Project team as early as possible and starting with the privacy fundamentals.
For example, try to establish answers to the following questions:
- What data will be used?
- Will any new data be collected?
- What are the purposes for processing?
- What will the outcomes look like?
- How will individuals be notified about any new processing?
- Is the app, service or product likely to enable decisions to be made which could affect certain individuals?
An ongoing dialogue with the Project team is helpful. This can be scheduled in advance of key development sprints and any budget decisions which could affect development.
This way the more detailed data protection requirements can be assessed as the design evolves – enabling appropriate measures and controls to protect personal data to be agreed prior to development and before any investment decisions.
Let me give you an example…
I recently helped a to carry out a DPIA for a new application which aimed to improve efficiency by looking at operational workflow data, including certain data on employees who carried out specific tasks.
When we started the design was only partially known, it wasn’t yet agreed whether certain components were in or out of scope, let alone designed. Therefore data protection considerations such as the minimisation of data (to include only that necessary for the processing), appropriate access controls and specific retention periods had not and couldn’t be decided.
We worked through these items as the scope was agreed. I gave input as possible designs were considered, prior to development sprints. We gradually agreed and deployed appropriate measures and controls to protect the privacy of individuals.
Too often in my experience the privacy team is called in too late. This only leads to frustration if privacy issues are raised in the later stages of a project. It can cause costly delays, or the poor privacy team is pushed into making hasty decisions. All of which is unnecessary, if teams know to go to the privacy team from the outset.
It can take time and perseverance to get your colleagues on board. To help them to understand the benefits of thinking about data protection from the start and throughout the lifecycle of projects. But once you do, it makes your business operations run all the more smoothly.
Simon Blanchard, September 2020
I hope you find my experience and ideas useful as you tackle your next development project. If we can help you with embedding Data Protection By Design into your organisation, or with specific assessments, do contact us for an informal chat.
The information provided and the opinions expressed in this document represent the views of the Data Protection Network. They do not constitute legal advice and cannot be construed as offering comprehensive guidance on the EU General Data Protection Regulation (GDPR) or other statutory measures referred to.