The UK’s independent authority set up to uphold information rights in the public interest, promoting openness by public bodies and data privacy for individuals.

Data protection by design and by default

You take a data protection by design and by default approach to managing risks, and, as appropriate, you build DPIA requirements into policies and procedures.

Ways to meet our expectations:

  • You reference DPIA requirements in all risk, project and change management policies and procedures, with links to DPIA policies and procedures.
  • Your procedures state that, if required, a DPIA must begin at the project’s outset, before processing starts, and that the DPIA must run alongside the planning and development process.
  • You anticipate risks and privacy-invasive events before they occur, making sure that at the initial design phase of any system, product or process and throughout, you consider the:
    • intended processing activities;
    • risks that these may pose to the rights and freedoms of individuals; and
    • possible measures available to mitigate the risks.

Can you answer yes to the following questions?

  • Would staff working on personal data processing projects be able to explain how they manage the risks as part of the project?