At a glance

  • You have a general obligation to implement technical and organisational measures to show that you have considered and integrated data protection into your processing activities.
  • Privacy by design has always been an implicit requirement of data protection that the ICO has consistently championed.
  • The ICO has published guidance on privacy by design and default within the Guide to GDPR.

In brief

What is data protection by design?

Under the GDPR and Part 3 of the Act, you have a general obligation to implement appropriate technical and organisational measures to show that you have considered and integrated the principles of data protection into your processing activities.

If you are processing personal data for law enforcement purposes, you must implement these measures by default, to ensure that you only process personal data for a specified and necessary purpose.

In particular, you must ensure that by default, you put safeguards in place to prevent personal data being made available to an indefinite number of people without an individual’s intervention.

Example

An authority responsible for courts and tribunals are building new IT systems for storing or accessing personal data. Prior to any live use, the authority is required to review their privacy and data protection compliance and perceived risks from the start of the project, rather than adding on such considerations at the end. This process could involve undertaking a Data Protection Impact Assessment (DPIA).