Data Protection by Design: Part 2 – How to approach it

September 2020

How to implement Data Protection by Design 

Following my colleague Phil Donn’s popular article on Privacy By Design (Part 1), I’m delving into the detail of what to consider when you are developing new applications, products and service and the how to approach the assessment process.

Good privacy requires collaboration

As a reminder, Data Protection By Design requires organisations to embed data protection into the design of any new processing, such as an app, product or service, right from the start.

This implies the DPO or Privacy team need to work with any project team leading the development, from the outset. In practice, this means your teams need to highlight any plans at the earliest stages.

A crucial part of a data protection or privacy role is encouraging the wider business to approach you for your input into changes which have implications for privacy.

Building strong relationships with your Project and Development teams, as well as with your CISO or Information Security team, will really help you make a step change to embed data protection into the culture as well as the processes of the organisation.

What are the key privacy considerations for Data Protection by Design?

Here are some useful pointers when assessing data protection for new apps, services and products.

  • Purpose of processing – be very clear about the purpose(s) you are processing personal data for. Make sure these purposes are both lawful and carried out fairly. This is especially important where any special category data or other sensitive data may be used.
  • End-to-end security – how will data be secured both in transit (in and out of the app, service or product) and when it’s at rest?
  • Access controls – check access to data will be restricted only to those who need it for specific business purposes. And make sure the level of access (e.g. view, use, edit, and so on) is appropriate for each user group.
  • Minimisation – collect and use the minimum amounts of personal data required to achieve the desired outcomes.
  • Default settings – aim to agree proactive not reactive measures to protect the privacy of individuals.
  • Data sharing – will personal data be shared with any third parties? If so, what will the lawful basis be for sharing this data?
  • Transparency – have we notified individuals of this new processing? (Remember, this may include employees as well as customers). If we’re using AI, can we explain the logic behind any decisions which may affect individuals? Have we told people their data will be shared?
  • Information rights – make sure processes are in place to handle information rights. For example, can data be accessed to respond to Subject Access Requests? Can data be erased or rectified?
  • Storage limitation –appropriate data retention periods should be set and adhered to. These need to take into account any laws which may apply. To find out more see our Data Retention Guidance.
  • Monitoring – what monitoring will or needs to take place at each stage to ensure data is protected?

The assessment process

If there’s likely to be high risk to individuals, you should carry out a Data Protection Impact Assessment. This should include an assessment covering the requirements above.

Many organisations use a set of screening questions to confirm if a DPIA is likely to be required and I would recommend this approach.

In most cases it will also be appropriate for the Project team to consult with their CISO or Information Security Team. It’s likely a Security Impact Assessment (SIA) will also need to be carried out.

In fact, adopting a joint set of screening questions which indicate if there’s a need for a security assessment and/or a DP assessment is even better!

Embrace the development lifecycle

The typical stages involved when developing a new app, product or service are:

Planning > Design > Development > Testing > Early life evaluation > Production

Sometimes these stages merge together, it’s not always clear where one ends and another starts, or they may run in parallel.

This can make the timing of a data protection assessment tricky, particularly if your business uses an Agile development methodology, where the application design, development and testing happen rapidly in bi-weekly ‘sprints’.

I find when Agile is used the answers to certain data protection questions are not necessarily available early on. Key decisions affecting the design may be deferred until later stages of the project. The final outcomes of the processing can be a moving feast.

I always take the data protection assessment process for new developments step by step. Engaging with the Project team as early as possible and starting with the privacy fundamentals.

For example, try to establish answers to the following questions:

  • What data will be used?
  • Will any new data be collected?
  • What are the purposes for processing?
  • What will the outcomes look like?
  • How will individuals be notified about any new processing?
  • Is the app, service or product likely to enable decisions to be made which could affect certain individuals?

An ongoing dialogue with the Project team is helpful. This can be scheduled in advance of key development sprints and any budget decisions which could affect development.

This way the more detailed data protection requirements can be assessed as the design evolves – enabling appropriate measures and controls to protect personal data to be agreed prior to development and before any investment decisions.

Let me give you an example…

I recently helped a to carry out a DPIA for a new application which aimed to improve efficiency by looking at operational workflow data, including certain data on employees who carried out specific tasks.

When we started the design was only partially known, it wasn’t yet agreed whether certain components were in or out of scope, let alone designed. Therefore data protection considerations such as the minimisation of data (to include only that necessary for the processing), appropriate access controls and specific retention periods had not and couldn’t be decided.

We worked through these items as the scope was agreed. I gave input as possible designs were considered, prior to development sprints. We gradually agreed and deployed appropriate measures and controls to protect the privacy of individuals.

Too often in my experience the privacy team is called in too late.  This only leads to frustration if privacy issues are raised in the later stages of a project.  It can cause costly delays, or the poor privacy team is pushed into making hasty decisions. All of which is unnecessary, if teams know to go to the privacy team from the outset.

It can take time and perseverance to get your colleagues on board.  To help them to understand the benefits of thinking about data protection from the start and throughout the lifecycle of projects. But once you do, it makes your business operations run all the more smoothly.

 

Can we help? Our experienced team can support you with embedding Data Protection By Design into your organisation, or with specific assessments –  contact us

 

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

Dashcams and GDPR: Assessing the privacy implications

August 2020

7 point privacy guide for dashcams

The use of dashcams by taxi firms, business vehicle fleets and others is on the increase. Their use is encouraged by insurers and they are seen as an effective way of combating accident insurance fraud.

As dashcams are highly likely to capture images of people, companies installing them need to take stock and consider data protection law. This is personal data and you should consider the potential privacy impacts on those caught on camera, much in the same way as you would do when using CCTV.

Here’s my 7 point privacy guide for anyone using or preparing to install dashcams.

  1. Confirm what you’re using cameras for. You need to start with a clearly defined purpose (or purposes) for the images you wish to capture. For example to enable us to investigate alleged accidents for insurance purposes.
  2. Create a policy. Your ‘Dashcam Privacy Policy’ should make it clear what specific purposes these images are used for and identify the lawful basis for any processing of personal data images. You should make sure the processing is necessary and limited to those purposes. A policy should also explain what measures and controls are in place to protect individuals whose images are captured.
  3. Brief your drivers. Put simply drivers who operate the dashcams and anyone else who may use the images should fully understand how the cameras should be use and ow the data collected should be handled.
  4. Notify the public. You should consider putting clear signs on vehicles which have cameras. In a similar way to how you would tell people CCTV is in operation. and declare the capture of dashcam images within your company’s privacy notice. In a similar way to how you would tell people CCTV was in operation.
  5. Make sure images are transferred and stored securely. Many modern dashcams used by vehicle fleets provide the capability to schedule image downloads daily to a central image library for storage. These transfers must be secure, as must the location where the images are stored. Access should be restricted, given only to those who are authorised to use the images for the purposes you have specified.
  6. Decide how long to keep the recordings. One of the core data protection principles is not to keep personal data for longer than you need it. You may only need to keep  most images for a very limited period, in case an accident is reported to you. Some claims may come in weeks after the event – so your own experience needs to dictate what is a reasonable period to hold on to recordings. If no accident is reported within the agreed period you should destroy the images. When an accident is reported you may need to retain a specific section of dashcam footage related to the accident or alleged accident whilst the claim is investigated, or if legal hold is required. You should then delete it after a suitable period when its no longer necessary.
  7. You might need to carry out a Data Protection Impact Assessment. If you think the processing of personal data by your dashcams might potentially result in a high risk to individuals, you should conduct a DPIA.

If your vehicle fleet includes heavy goods vehicles (HGVs) of over 12 tonnes gross vehicle weight, which operate within the Greater London area, you should look ahead to complying with the forthcoming Direct Vision Standard.

This new safety standard was created to improve the safety of all road users, including pedestrians, cyclists and motorcyclists. Depending on your specific vehicles, you might be required to fit blind spot cameras which, like dashcams, is likely to capture images of people. The new standard is expected to come into force around 1 March 2021, at the earliest.

Meeting the data protection requirements for business use of dashcams doesn’t need to be onerous, but shouldn’t be overlooked.

After a successful career in publishing Simon moved into data protection consultancy in 2015. Simon advises businesses of all sizes across a wide range of sectors. He held the role of Director of Information Governance at Royal Mail Group in the run up to GDPR enforcement. He regularly delivers data protection courses for clients and the Institute of Data & Marketing (IDM).

Copyright DPN
The information provided and opinions expressed in our content represent the views of the Data Protection Network and our contributors. They do not constitute legal advice.

SIGN UP FOR OUR NEWSLETTER

Get DPN updates direct to your inbox. Insight, free resources, guides, events & services from DPN Associates (publishers of DPN). All our emails have an opt-out. For more information see our Privacy Statement.