News and Events

Data Privacy by Design: Why organisations dealing with personal data should consider designing their processes around it

  • Posted

There is currently much debate and uncertainty over the status of the UK’s membership in the European Union. If the UK does remain in the EU following the referendum on 23rd June 2016, then along with the much talked about changes to its membership, the UK will also face significant changes to data protection law as a result of the new General Data Protection Regulation (“GDPR”).

Even if we do not remain within the EU it is likely that companies doing any business in, or with Europe will need to comply with the GDPR if that business involves any processing of personal data originating within EU or EEA member states. That could, for example, just involve holding the contact details of a French business’ staff for use in connection with work being done for that business. It will become very significant for businesses that “trade” in data—for example buying and selling contacts or offering data hosting services. The GDPR will replace the Data Protection Act 1998, and equivalent laws in other member states, with one regulation which will govern data processing inside the EU.

The GDPR is more extensive and significantly more prescriptive than the current law in the UK, and in order to ensure compliance, many organisations dealing with personal data will need to adapt their processes.

Under Article 23 of the GDPR data controllers must implement appropriate technical and organisational measures, such a pseudonymisation, to ensure that the data protection principles are complied with and the necessary safeguards are built into the processing procedure. This is known as “privacy by design”. Furthermore, by default, only personal data which is necessary for the specific purpose of the processing is to be processed, and it should not be retained for longer than is necessary to fulfil the processing requirements. This is known as “privacy by default”.

In practical terms what this means for organisations processing personal data is that privacy and security measures need to be in place from the very outset, prior to the obtaining of the data for the purpose of processing it. The IT systems used by organisations should be developed to ensure that privacy of personal data is taken into account during the whole life cycle of the system.

Under the GDPR data subjects will have the right to be forgotten, that is to say, they have the right to request that that their data be deleted. Organisations will need to ensure that their systems enable the speedy and accurate deletion of data following any such request. Organisations will also need to ensure that only those people who need to have access to the data can access it: it should not be open to just anyone who has access to the system.

As well as developing systems and procedures that ensure compliance with the GDPR from the outset, organisations will also need to be able to evidence their compliance. For this reason, the procedures should be documented, and should be reflected in the functionality of the organisation’s IT system.

Organisations processing personal data should also check that their contracts of employment with their employees and third parties who process any personal data for them contain sufficient provisions to ensure that the security of the data is adequately protected, and that the employees and third party contractors are required to act in accordance with the organisation’s privacy procedures.

Organisations would be well advised to start reviewing their procedures and systems now, and making the necessary changes to them, ahead of the GDPR coming into force in late 2017.


This is for information purposes only and is no substitute for, and should not be interpreted as, legal advice.  All content was correct at the time of publishing and we cannot be held responsible for any changes that may invalidate this article.