Recently we read in the press that millions of Facebook users’ personal data was processed for a completely different scope, by a third party, without their consent. Personal data of EU citizens’ were also included in that. While this is a unfortunate occasion, it is however a good example of a major breach to privacy that should not happen, either under the present regulation and even more importantly when the GDPR becomes applicable.
It is not always an easy task to guarantee ‘privacy by default’ to your customers/users, at the level the GDPR defines. It’s not necessarily enough that your organization takes all adequate measures. You also need to control all of the third parties that are involved in your network, in case they process or store personal data on your behalf. If one of your partners wants to deliberately to misuse the data, there are not many thing to do to prevent it. But, as a controller, you are completely responsible for what your data processors do.
One of the functional requirements of the GDPR is Privacy by Default. The technical and organizational measures play a key role towards the implementation of this requirement. Best practises in working manners and well designed contracts are essential. But, if you cannot truly rely on all of your partners in applying the regulation, the efforts you make to protect your own organization may be useless if a partner is breaking the rules. One important decision is: with whom we are performing our services.
The spirit of ‘Privacy by Default’ in GDPR
The provision of Privacy by Default to the data subjects, such as our customers, club members, employees, and other persons whose personal data are collected by one of our services, is one of the controller’s main responsibilities. To better understand this requirement, we provide the following example: When a female visitor fills in an online form in order to subscribe to a newsletter list, she is submitting her name and her email address or/and any additional personal information about herself. She can by default expect that the controller will process her personal data according to the GDPR, in the way and only for the purposes that she has given her consent for, before she clicks the ‘Submit’ button and submits her subscription to the newsletter list.
The definitions of terms like processor, controller, process and personal data are defined in the regulation in article 4 and also in our March article in JCM. It is suggested to review the terminology from there. It is also good to understand that the controller or the processor can range from a person to a big organisation with tens of thousands of employees, as well around the world. Personal data can be any information relating to an identified or identifiable natural person (‘data subject’).
In GDPR the concept Privacy by Default is defined in chapter IV, Controller and processor, article 25. The Controller is responsible to ensure the Privacy by Default approach to people whose personal data are processed. The Controller is also responsible for ensuring that processor(s) follow the regulation. According to article 25, the controller “shall implement appropriate technical and organisational measures to ensure and to be able to demonstrate that processing is performed in accordance with this Regulation. Those measures shall be reviewed and updated where necessary.”
In this article we are focused mostly on the organisational measures. Technical measures will be reviewed and analyzed more closely in other articles. The concepts of technical and organisational measures are, however, deeply related to each other. Organisational measures such as developing a data protection management policy, secure processes, workflows with respect to the privacy and best practises are crucial and often are implemented successfully in conjunction with technical solutions. Therefore, when e.g. suggesting an extension to be installed in customer’s website, it is important to define and understand customer’s processes, how this extension may have access to personal data in different phases of the processing and more.
A very important aspect, in case our service is processing personal data, is to restrict the access to personal data to only known and authorized persons. It means that controllers and processors - who refer in most cases to organisations - should offer user account management to their users in order to get access to their profile and process their data. In many cases restrictions can be performed by defining user permissions (ACL) carefully or by using password protection. If personal data is stored also in physical form, for example in printed paper lists, notebooks etc., access to such sources must be controlled and restricted. Article 25 says, that “...by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons”. It should be carefully reviewed to ensure that visitors of a website can’t have access to any unauthorized personal data.
So, data minimization is one key principle when providing privacy by default. That means that only the necessary (personal) data should be gathered. The data should be stored only for the necessary time, and deleted or anonymized when not needed any more for the scope for which it was collected.
But what data can we characterize as necessary? There isn’t an exact rule for this, and it depends on the scope for which the data was initially gathered for. For example, the personal data we request during a user registration, depends on the scope of processing. An e-shop that delivers physical goods needs more information from its customers than, for example, a website that is offering free downloads to their registrants.
Another example is the example of a visitor subscribing to a newsletter list. What personal information is actually needed for that? Basically, the email address is enough to deliver the newsletter to the subscriber. On the other hand, there’s no problem adding some relevant fields to the subscription form, as long as you tell the subscriber why you ask for that information and describe the way in which you will process that data. Another important thing is, that the subscriber will be told beforehand, in a clear and understandable way, to what purposes the personal data will be processed.
Privacy by default - what does it means to me?
The roles Processor and Controller are defined clearly in article 4 in GDPR, but how do those roles fit in the working roles in everyday’s life? In order to provide the so called Privacy by Default not only to our organisations but to our customers as well, we need to define our role from that point of view.
Tips for Website Developers
The above procedure is not always so clear. For example, what is our role if we are designing a website to a customer and propose or develop an extension to be used on the website, which has something to do with personal data? In that situation our role is probably not, at least clearly, Controller or Processor. But we may have a significant role in implementing GDPR and privacy by default in our customer’s business. Or, what should we do if a customer wants to implement a solution we know is not compliant with GDPR? Do we leave the responsibility completely to our customer? In many cases we may find ourselves having greater expertise in implementing GDPR than our customers. If we aim to build long term relationships with our customers, based on mutual trust, it’s definitely a good idea to share our knowledge even as a service.
Tips for Managers
In case of a managerial role in an organization, it may be our responsibility to provide the required organizational measures to determine how the organization will implement the GDPR. It’s obvious that Privacy by Default can’t be achieved only by designing some legal documents like agreements and descriptions. Lifelong learning and the appropriate change management is in many cases needed against the well-known resistance to change. People working under our management first need to learn and understand the importance of personal data protection, what it means in practise and who it will impact in their daily work.
Tips for Entrepreneurs
Entrepreneurs may also come across this situation. We may find ourselves in discussions with our customers, convincing them that GDPR is something that really needs to be taken into account. A good idea is to study the regulation in order to become an expert in it. GDPR will be part of our lives from 25th May, so why not to make the best we can and utilize the business and career opportunities opening.
Legal disclaimer: This article contains general information about legal matters. The information is not advice, and should not be treated as such. You should not rely on the information on this article as an alternative to legal advice from your attorney or other professional legal services provider. If you have any specific questions about any legal matter you should consult your attorney or other professional legal services provider. You should never delay seeking legal advice, disregard legal advice, or commence or discontinue any legal action because of information on this website.
This article is part of the "GDPR overview: Decrypting the regulation in series".
- General Data Protection Regulation, (link)