It’s almost a year since the Data Protection Act 2018, incorporating the GDPR, came into force. While the new mandatory requirements, not unexpectedly, are taking time to become part of everyday business, it seems the phrase “data protection by design and default” is still causing confusion and there’s a lack of progress in embracing this ideal.
What does data protection by design and default mean exactly? In simple terms it’s embedding data protection into your processes and the way you do business. Another way to think of it is “how would I want the organisation to treat my personal data?” To which you may answer:
- Making sure I understand what I’m providing, why and for how long
- Not asking for more of it than is needed
- Using it only as I’d expect it to be used
- Not giving it to anyone I haven’t agreed to having it
- Protecting it so it doesn’t get stolen or misused
- Only letting people have access to it who need to do so
- If something goes wrong, dealing with it responsibly and keeping me informed
- Ensuring there are easy to use processes in place if I want to exercise any of my rights
- Being open, honest and accountable in how both myself and my data are treated
This isn’t a definitive list, there are other points you may consider. Instead, use it to begin the process of understanding and implementing data protection by design and default. If we’re happy with how our own personal data is used, then our customers and others are liable to be as well.
Blog by our Head of Consulting, Rob Horne