Welcome aboard and we wish you a nice (and safe) journey!
At the beginning, let me give you a few words of introduction and reminder. I encourage you to read my previous posts about GDPR requirements (GDPR- what is this for?) and privacy protection (Privacy is value). Don’t worry, I’m not writing about GDPR again. Now, I would like to focus on Privacy by design.
It is worth emphasizing that it is in fact not a new idea, but it has become a requirement that needs to be understood before it is applied. Privacy by design is a very important foundation. In fact, it’s crucial for the creation of a good product that would meet GDPR requirements. Try to imagine a fast and beautiful car that was created without taking into consideration comfort and safety requirements. Then, when it was about to be launched into the market, someone suddenly decided: hey let's do something to make it more comfortable and safer. Would you like to take a trip driving such a car? I am afraid you wouldn’t find it safe or nice. Therefore, at the early stage of designing personal data processing, one should not only think about privacy protection (because it is not enough) but also about having respect for it. What it means is that the process we implement will not get too deep into entity’s privacy, and that the scope and scale of personal data processing will be limited.
It should also be emphasized, for a better understanding of the topic, that privacy by design is not an "IT problem". It should also be understood by those who organize all/-any processes of personal data processing.
If you, from the very beginning, create a process considering privacy protection - later on you will not have to apply “prostheses”. Please keep in mind that these “prostheses” are always uncomfortable and non-functional, so after some time, you may expect it to be circumvented and abandoned. As a result, it will increase the risk and bring the opposite result.
And what if you are "only" a customer looking for the best IT solution for your business processes? Do you know what requirements you need to specify? Do you know what you need for the data that you manage to be treated appropriately? Here as well, understanding Privacy by design will help a lot!
For a better explanation of Privacy by design let me try to apply an analogy of journey preparations. Just like when you are going on holiday or you are organizing a trip - there are tips to remember in order to make your trip successful and safe.
Privacy by design is just like a journey plan or guide for personal data processing. Ready, steady, go!
Where are you planning to go?
Where are you planning to go? Who will join you? It’s time to think about the purpose of your personal data processing and its subject. Why? Because everything else will depend on it.
Keeping the analogy of the trip, does it (or not) matter to you (and your preparations) whether you are going to visit your neighbors or you are planning to go trekking across Australia? By keeping the analogy - it is just the same- the data you need for the process will depend on the purpose of the very processing. Consequently, it depends on your destination of how you will prepare for the trip. Is it going to be difficult, dangerous and maybe a very, very long trip? Again, similarly - a specific and clearly defined goal for a well-defined data subject will result in a clear legal basis for personal data processing.
Please keep in mind that it is really important, or even the most important step, I dare to say, to ensure the legality of data processing.
So, what could be a legal basis for personal data processing?
- Providing a service / product under the contract?
- Compliance with legal obligations?
- Helping to save someone's health or even life?
- A public interest?
- Or another purpose that interferes in our interest as an administrator (for example, preservation of evidence)?
A defined goal will be finally an important trigger for new actions. Let’s take as an example the necessity or not to obtain data subject consent. Here, we need a short digression. You do NOT need to obtain consents when you are required by the law or contract performance conditions to collect and use personal data.
Additionally, please keep in mind that if consent is the legal basis for your processing, you must be ready that the entity can withdraw this consent at any time and expect you to delete his or her data. Besides, you have to design your own process so that the withdrawal of consent would be "light, easy and pleasant" for the entity.
Therefore, just to summarize the above: please, do determine your goal and legal basis - thanks to that you will know if you have to plan additionally the process of obtaining data subject consents.
At this point, you should also consider who should take part in your trip? In other words: who will be the data subject? You have to anticipate the fulfillment of an information obligation. So, the question is how are you going to do it? Thanks to having a specific purpose, you can properly inform the interested entity if the provision of data is voluntary, necessary for the conclusion of the contract, or maybe it is a statutory obligation?
One more important information, the above assumptions regarding personal data processing need to be included in an information obligation, so it is better to start planning it ASAP, expanding it with new elements.
Above all, make sure that:
- It contains all the necessary information,
- It is clear, comprehensible, "friendly" for the recipient (depending on who is the participant of the trip),
- There is a mechanism planned for informing people about their data processing,
- There is a mechanism planned for informing people about significant changes in their data processing.
Sightseeing or sunbathing?
It's great that you finally know where you are going to spend your time. Now, it is time for the next question-HOW? Will you go sightseeing or do you prefer to sunbathe? Why? Well, you need to know whether to bring a fishing tackle, trekking shoes or rather a chic outfit suitable for visiting museums and temples. You know what, the same is with data processing - you need to know what you are going to do with this data.
You already know your goal and now the question is what you will do to achieve it. Therefore, you need to answer the question which of the following aspects will apply in your process:
Proper identification of processing activities will have an impact on the subsequent planning stages, such as how to handle requests. An example - if the possibility of data deletion was not foreseen - how should the “right to forget” be served? Besides, different activities may also mean different roles and different permissions in your processes. You may not want every user to be able to delete or modify data, right?
To sum up, it's time to think about the must-see places in your trip. For us, in privacy by design, these must-sees are rights of the data subject. So, depending on the purpose of the processing, you need to answer the following questions:
- Is right to be forgotten ensured?
- Is right to copy ensured?
- Is right to correction ensured?
- Is right to portability ensured?
- Is right to restriction ensured?
- Is right to objection ensured?
- Is there a verification mechanism of subject requiring his or her rights?
The general definition of the right to be forgotten says that an individual can request the controller to delete his or her personal data, but please remember it is not an absolute and overriding law. One should bear in mind the requirements resulting from the contract concluded between an entity and a data controller. Data retention requirements and others, such as documentation (due to the possibility of claims) or financial/ accounting regulations are no less important.
Are you going for a weekend or half a year?
It would be wonderful to go for a trip without booking a return ticket. However, in this journey you need to clearly define its duration. It will obviously result from the purpose of processing or other requirements imposed on you. Therefore, let me say it again- having a goal is the most important aspect. The purpose of personal data processing will impact its retention.
Let me remind you that art. 5 requires that data must be collected for a clearly defined and legitimate purpose and processed accordingly. Next, at the end of processing (expiration of the purpose), the data should be deleted or anonymised. As an administrator, after determining the purpose of the processing, you need to specify the processing time.
It is important to know what legal requirements are related to the processing (e.g. accounting requirements). Therefore, while planning personal data processing, you need to be able to answer the following questions:
- Has a retention period been defined for each purpose of personal data processing?
- Is there a specific mechanism for deleting data after a storage period for each processing purpose?
- What will be the triggering factor for the data deletion process - is it defined?
- Will the process take place automatically?
To be continued.