Articles 25(1) and 25(2) of the GDPR (General Data Protection Regulation) outline your obligations concerning ‘data protection by design and by default’. This requirement ensures that the six data protection principles are implemented, and that individuals’ rights are always safeguarded. Applying appropriate technical and organisational measures to any processes within your organisation that involve personal data will help achieve the above.
The six data protection principles
Pseudonymisation or anonymisation are examples of ensuring data protection by design through the application of appropriate technical and organisational measures. This type of security measure also ensures that the data protection principles are implemented, especially principle 6, integrity and confidentiality.
The six data protection principles, in addition to principle 6 above, cover lawfulness, fairness and transparency, purpose limitation, data minimisation, data accuracy and storage limitation. Data protection by default is simple when these six principles are embedded in every one of your organisation’s processes. Data protection by default means that the individual’s rights are safeguarded from the very beginning of a process, before any additional measures are implemented.
What is a PCF?
A PCF (privacy compliance framework) will help make certain that your organisation can deliver data protection by design and by default while embedding the six data protection principles. Your organisation’s PCF should consist of a PIMS (personal information management system) and an ISMS (information security management system).
What is a PIMS?
A PIMS is composed of corporate policies supported by documented processes, procedures and practices; an appropriate standard for this is BS 10012.
What is an ISMS?
An ISMS will involve risk assessments and risk management strategies; ISO 27001 is the international standard that provides the specification for a best-practice ISMS.