What is data protection by design?

Data protection legislation contains basic principles for safeguarding the privacy of data subjects. Data protection by design and by default helps ensure that the information systems we use fulfil these data protection principles, and that the systems safeguard the rights of data subjects.

Data protection by design, and data protection by default, are central requirements in the General Data Protection Regulation (GDPR) that apply from May 2018. This guide describes how to comply with these requirements. The data controller must comply with the requirements governing data protection by design during software development, and when ordering systems, solutions, and services. The requirements must accordingly also be included when entering into agreements with suppliers, and when using consultants.

Transparency is a principle in the new regulation, and it is crucial when building data protection into software. Transparency about the use of personal data involves providing information about what is being processed, by whom, why, how, and for how long it is kept. In order for data subjects to exercise their rights, organisations must be open about their processing of personal data. That way, the data subjects can make informed decisions about whether or not to use a software, and this ensures the legitimacy and effectiveness of the data controller.

Management commitment is crucial for making the decision to apply the principles of use data protection by design in the organisation’s procurements and software development. Management must also ensure to provide sufficient resources for this task. Taking data protection into account throughout the development process is both cost-effective and more efficient than making changes to an existing piece of software. Enterprises that do not comply with the GDPR risk significant costs, in the form of both fines for breaking the law, liability to the data subjects, and loss of revenue resulting from damage to their reputations.