The European Union’s General Data-Protection Regulation (GDPR) is about to introduce a number of new responsibilities for AdTech and MarTech companies (known as controllers and processors of data within the regulation). “Data protection by design and default” is a proposed new approach which promotes the implementation of privacy and data-protection compliance at the design phase of software production.
What is ‘Data Protection by Design and Default’?
Data protection by design is a concept written into Article 25 of the GDPR. While the regulation does not offer a clear dictionary definition, data protection by design generally promotes two ideas: a focus on privacy and data protection in the design phase, and processing of only the personal data that is absolutely necessary for a specific purpose.
Privacy by Design and Default vs Data Protection by Design and Default
Along with data protection by design, GDPR-focused articles and commentaries often reference the concept of privacy by design. Naturally, there is a lot of confusion in the industry regarding the dichotomy, and some authors deem the terms synonymous. We believe they are very closely related, but don’t necessarily mean the same thing.
Data Protection by Design and Default
Data protection by design and default, as the name suggests, is centered on personal data. It is a relatively new term and specifically appears in the context of the GDPR. While it is nearly synonymous with privacy by design, it explicitly focuses more on the processing of data, requiring systems and processes (e.g. advertising and marketing campaigns) to be created with careful consideration of data protection as early as the design stage.
“By default” means that only personal data absolutely necessary for a specific purpose is processed by the data processor—for example, the history of web searches and phrases entered in a search engine isn’t stored by the search engine by default, hence “data protection by default”).
Additionally, although the user is not “anonymous” per se, the amount of the data collected, the scope of its processing, and the period of storage and accessibility must also be minimized to the bare minimum required by a specific purpose. This activity is also known as data minimization.
Consider the two examples of what “data protection by design” and “data protection by default” mean in the practical sense, according to EU Commission:
- Pseudonymisation allows to replace all personally identifiable information with “pseudonyms”, i.e. automatically generated identifiers and encryption, and thus comply with the idea of data protection by design
- The default settings in a social media platform should be privacy-friendly, which allows to minimise the number of people accessing the data, and thus comply with the tenets of data protection by default
Privacy by Design and Default
Privacy by design and default implies that tools and policies are designed in a way that no data needs to be protected in the first place. The general understanding is that the approach does not need to involve processing of data at all, unlike in data protection by design and default.
Good examples here would be systems designed in a way that no personal information is needed:
- DHCP: IP address is assigned by the server and users can communicate without the use of personal identifiers, per se.
- RFID: Devices allow for communication, without revealing personal information, by use of radiofrequency.
- GPS: Users can take advantage of the system without revealing their own personal data (and thus location).
For the rest of the article, we’ll stick to the term data protection by design and default, as we believe it more accurately reflects the important implications and obligations introduced by GDPR (the text of the regulation doesn’t mention the term privacy by design even once).
How to Align AdTech and MarTech Platforms With Data Protection by Design and Default
Every company collecting marketing data from users (for the purposes of an online contest, for instance) will be required to assess whether the processing of personal data conducted and the methods of data protection are compliant with applicable law—i.e. with the provisions of GDPR.
How to Comply With Data Protection by Design
Compliance will mean that data processors and controllers will be held responsible for implementing certain policies. Data-protection procedures and systems should be a key consideration from square one in the early stages of any product or process development. For example:
- Development of systems that store or access personal data.
- Creation of policies that involve processing of data.
- Data-sharing initiatives.
- Using data for new purposes.
Ensuring compliance may essentially come down to taking the following steps:
- Using a special template for privacy-impact assessment (PIA) whenever a business designs, procures, or implements a new system.
- Revising standard contracts with data processors to assess the distribution of liabilities between the parties in relation to the “data protection by design” and “privacy by default” requirements.
- Revisiting and analyzing data-collection forms and web pages to ensure excessive data is not collected.
- Implementing automated deletion processes for particular personal data, as well as technical measures to ensure that personal data is flagged for deletion after a particular period.
How to Comply With Data Protection by Default
Additionally, in the context of MarTech/AdTech platforms, careful consideration is needed regarding the collection of personal data. Ask the following questions during evaluation:
- Do all data points need to be collected?
- Which parts of the data may be pseudonymized and encrypted?
- How soon can data be deleted (data retention) to ensure the platform is still viable and useful for clients?
This is a reversal of the popular pre-GDPR approach some companies had to personal data. In the past, companies would collect all the data they could and store it forever, with little consideration of whether it was really necessary or safe. This approach is no longer lawful in a post-GDPR world, which urges data processors and data controllers to rethink the data-collection process and reevaluate the necessary amount of collected data points and period of retention.
On the plus side, less data will be stored and AdTech and MarTech companies may expect reduced infrastructure costs as a result.
Benefits of Data Protection by Design
Taking a data-protection-by-design approach is an essential tool for a few reasons:
- Minimized risks and increased trust.
- Less data stored means reduced infrastructure costs.
- Potential data-processing problems are identified at an early stage, and addressing them is easier and less expensive.
- Increased awareness of privacy and data protection across an organization.
- Organizations are more likely to meet their legal obligations (e.g. GDPR).
- Actions are less likely to be privacy-intrusive and have a negative impact on individuals.
The principles of data protection by design and default discussed above may sound like a no-brainer and should be expected to be in place in most enterprises. But the ultimate goal behind the GDPR’s privacy-by-design approach is an attempt to formalize good practices, promote them across the industry, and introduce legal grounds for future sanctions.
Even today, many companies still completely ignore responsibilities associated with the protection of personal data, and since almost every online service or vendor processes personal data in one way or another, the situation calls for a universal obligation.
Implementation of privacy by design shall no longer result from an idea the company has about data protection and internal procedures, as it is now based on law. By not complying, companies risk sanctions in the form of a penalty of up to EUR 10,000,000 or 2% of the total annual turnover of the company from the previous financial year.