Privacy by Default/ Privacy by Design
Privacy by Default and Privacy by Design
These two buzzwords refer to technical concepts described in the GDPR that your company will not get around heeding and implementing: data protection as a default setting (“privacy by default”) and data protection through technical means (“privacy by design”). This means that IT systems have to be configured in a way that the programming has already greatly reduced the possibility of illegitimate data processing operations. For example, checkboxes must not be pre-selected in a way that pushes users to consent.
Establishing a record of processing activities is a crucial prerequisite for being able to take adequate technical and organisational measures to provide for privacy by default and privacy by design. This is because once your company has internalised the requirements to be met to legitimately process personal data, it is easier to decide which measures have to be taken for these two privacy settings.
- According to the principle of privacy by default, your company’s website should offer suitable privacy settings to users. If, for instance, your website has an online marketing section including an option to register for an online account, the user must be given the possibility to view the consent he or she has given and to revoke it at any time. In the end, a system has to be implemented that protects the rights of the data subjects (rights to information, access to and rectification or erasure of personal data, the right to data portability, the right to object, restriction of processing). This could be realised by providing an online form or email address to contact your company.
- Finally, the principle of privacy by design is considered fulfilled when, e.g., the data subject’s consent is obtained prior to the data processing.