From the earliest stages of project development, businesses engaged in the processing of individuals' personal data are required to implement 'privacy by design' and 'privacy be default' – two central principles of the GDPR as set out in Article 25. What this means in practice is that data privacy features and data privacy enhancing technologies should be embedded directly into the design of projects at an early stage, while also ensuring that user service settings must be automatically data protection friendly, and only data which is necessary for each specific purpose of the processing should be gathered at all.
Privacy by design is proactive and involves anticipating and preventing privacy invasive events before they happen. On the other hand, privacy by default aims to ensure that no action is required on the part of the relevant individual to protect their privacy it is built into the system by default such that if an individual takes no action to apply his privacy rights, his privacy rights will still remain intact.
For any business whose project will involve the processing of individual's personal data, potential investors will often need assurance that the organisation has complied with applicable data protection legislation, which for an Irish or European-based business will therefore include providing an assurance that privacy by design and by default have been considered and implemented appropriately from the beginning of the project's development.
Step 1 – Identify The Personal Data
The first step in ensuring that a project is compliant with the principles of data privacy by design and privacy by default will be to identify the various types of personal data which are being collected and processed. For early-stage companies, this can often be as simple as creating a spreadsheet, setting out the various categories of personal data which the company will collect or process through the development and use of the project, such as individual's names, email addresses, home addresses, employee numbers, biometric data, CCTV footage or otherwise any information related to an identified or identifiable natural person.
Concurrently with identifying the various types of personal data which the business will collect and use via the project being developed, consideration must also be given as to where this personal data is being collected from. This should also be set out in the spreadsheet as discussed above and while a substantive list of possible sources is too broad to be set out in this brief, one should include information submitted by individuals who create an account on the company's website using an email address, online identifiers such as IP addresses and cookies, location data, employee information including that which is held on payroll systems and HR files, and job candidates data collected via CVs or interviews.
It is also important for businesses to be aware at this stage that the GDPR imposes restrictions on the transfer of personal data outside of the EU. If the business will have the personal data of employees, clients, or suppliers stored on systems outside of the EU, an assessment will need to be undertaken as to whether this is necessary, as special safeguards may need to be put in place to ensure that sufficient level of protection travels with the data to ensure the data subjects retain the same level of protection as if their data was being processed within the EU.
Step 2 – The Legal Basis
Once the company has identified the types of personal data which it will process and identified where this personal data will be sourced from, the next step will be to accurately record the legal basis for this processing. The GDPR sets out six grounds for the lawful processing of personal data as follows:
- The consent of the individual concerned has been obtained;
- The processing is necessary for the performance of a contract;
- The processing is necessary in order to comply with a legal obligation;
- The processing is necessary to protect the vital interests of a person;
- The processing is necessary for the performance of a task carried out in the public interest; or
- The processing is in the legitimate interests of company/organisation (except where those interests are overridden by the interests or rights and freedoms of the data subject).
The sixth ground set above is known as the 'legitimate interests' basis and is different to the other lawful bases as it is not centred around a particular purpose and it is not processing that the individual has specifically agreed to (consent). Legitimate interests is therefore more flexible and early-stage businesses will often cite this basis as a broad-brush basis for conducting data processing activities, as processing in the company's 'legitimate interests' could in principle apply to any type of processing for any reasonable purpose. For this reason, it is important to be aware when citing 'legitimate interests' as the basis for processing personal data that a three-part test will need to be satisfied in order rely on this ground; namely an assessment of:
- Is there a legitimate interest behind the processing?
- Is the processing necessary for that purpose? and
- Is the legitimate interest overridden by the individual's interests, rights or freedoms?
For example, it is not enough to simply state that: 'we have a legitimate interest in processing customer data', as this does not clarify purpose or intended outcome. Instead, it is important to be more specific about the purpose, such as: 'we have a legitimate interest in marketing our goods to existing customers to increase sales'.
If the processing activities do not fall within any of the above six legal bases, these processing activities will be in breach of the GDPR.
Step 3 – Data Security
Once a record is kept and frequently updated, setting out the types of personal data, its sources and the legal grounds for which the data is processed, the basic foundations of developing a project in a data protection compliant manner have been laid and the next steps will be to ensure that compliance is maintained for the remainder of the project's life. As the project develops, the number of data processing activities increases. There are a number of important data protection principles which will need to be considered:
- Data Minimisation – the collection and processing of personal data must be adequate, relevant and limited to that which is necessary for the specified purposes (as set out in Step 2 above). Businesses must be able to demonstrate that they have appropriate processes to ensure that they only collect and hold the personal data they need.
- Data Security – Businesses
processing personal data must ensure that such data is processed
securely by means of 'appropriate technical and organisational
measures'. This means the security measures in place should
- The data can be accessed, altered, disclosed or deleted only by those authorised to do so (and that those people only act within the scope of the authority given to them);
- The data the company holds is accurate and complete in relation to why the company is processing it; and
- The data remains accessible and usable – if personal data is accidentally lost, altered or destroyed, the business should be able to recover it and therefore prevent any damage or distress to the individuals concerned.
A data breach refers to a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data. A business which acts as a data controller is obliged to notify the national data protection authority, which in Ireland is the Data Protection Commission (or "DPC"), of any personal data breach that has occurred, unless it is able to demonstrate that the personal data breach is 'unlikely to result in a risk to the rights and freedoms of natural persons'.
This means that the default position is that all data breaches should be notified to the DPC, except those where the business has assessed the breach as unlikely to present any risk to data subjects, and the controller can show why they reached this conclusion.
In any event, for all breaches – even those that are not notified to the DPC, on the basis that they have been assessed as being unlikely to result in a risk – the business must record at least the basic details of the breach, the assessment thereof, its effects, and the steps taken in response, as required by Article 33(5) GDPR.
On the other hand, if the business becomes aware that the data breach may indeed result in any risk to the rights and freedoms of affected individuals, it must make a notification to the DPC, not later than 72 hours from when it became aware of the breach.
Originally published by BHSM, October 2020
The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.