May 25, 2017

GDPR Compliance: Data Protection by Design and by Default

JT Sison

Data Privacy Cannot Be an Afterthought

When it comes to complying with the General Data Protection Regulation (GDPR), there is no end to the advice and proposals. Certainly, there are many steps that companies must adopt to avoid penalties. But as large an undertaking as GDPR compliance may be, it is all undergirded by the idea expressed in Article 25: data protection by design and by default.

By Design

Implementing data protection by design means going beyond technological solutions. Security procedures regarding data handling should be under consideration from day one. Often, this means conducting a Privacy Impact Assessment in order to ensure possible issues have been identified and proactively neutralized. In terms of actual process implementation, it entails utilizing best practices in data minimization, pseudonymization, and process documentation. This last item is particularly important. Clearly documenting proper data handling—and monitoring the data to ensure proper handling—is just as important as effective data minimization.

By Default

Implementing data protection by default is a somewhat less expansive but still vital notion in the GDPR. It means that taking data protection measures must be the rule, not the exception. These measures must be taken, by default, to ensure that only personal data necessary for each specific business purpose is processed—and that duty applies to the amount of data collected, the extent of its processing, its period of storage, and its accessibility. In practice, this means that companies must have a well-defined data lifecycle that ends with the destruction of said data. It also means that additional information and consent must be actively requested from the data subject.

To ready your company for GDPR and remain in compliance as your data processing needs evolve, data protection must be consistently baked into every part of the organization and the organization’s processes. Data privacy can no longer be an afterthought—or the responsibility of a single individual. A proactive team defense is the best defense against GDPR compliance violations.

The One-Year Countdown Begins Today

As always, we recommend consulting your legal or compliance teams, but we encourage you to learn more about how PKWARE can accelerate your journey to GDPR compliance. Get started with a free demo.

Share on social media
  • Data Retention: Aligning Data Protection Strategies with Compliance Requirements
    Ben Meyers March 13, 2024
  • Data Breach Report: March 2024
    PKWARE March 8, 2024
  • PCI DSS 4.0 Compliance: Safeguarding the Future of Payment Security
    PKWARE February 22, 2024
  • Data Breach Report: February 2024
    PKWARE February 15, 2024