Meritxell Borràs, the director of the Catalan Data Protection Authority (APDCAT), presented ‘Privacy by design and privacy by default. Developer’s Guide’. This is a new resource for developers of new ICT apps and services which include personal data processing to help them comply with statutory privacy protection requirements. During the presentation event, held at APDCAT’s booth at 4YFN during the Mobile World Congress, Borràs underscored the hard work done by the APDCAT’s Legal Department and ICT teams to draw up this guide along with the input of expert organisations such as the Catalan Telecommunications Association in its final version.
Implementing data protection by design and by default is a mandatory requirement since its adoption by the General Data Protection Regulation. The former means that the person or organisation processing personal data has to put in place appropriate technical and organisational measures (encryption, anonymisation, etc.) to ensure compliance with the regulation when designing services and products and also while processing the data.
Meanwhile, data protection by default entails rolling out suitable technical and organisational measures to ensure that only personal data required for each specific purpose are processed by default. This means looking at the quantity of personal data gathered, the scope of the processing, the retention period and the accessibility of the data.
Apart from the statutory requirement, privacy-friendly products and services bring more added value to businesses. That’s because they meet a growing need among consumers who are increasingly aware of the dangers posed by the misuse of technology. It is thus a new brand value which enhances the market position of organisations and businesses and adds to their image and reputation.
A new resource
The guide, which is available on the APDCAT website, addresses the roles in data protection by design and by default and sets out how organisations and institutions that process personal data can effectively meet this data protection regulation requirement. It does this by specifying the key points to be factored into each stage of product or service development:
- Development and testing
- Data gathering
- Data use
- Data disclosure or sharing
- Data maintenance and storage
It further spells out key measures to protect personal data such as encryption, data anonymisation and its techniques and risks and pseudonymisation. Finally, it includes practical resources, such as a step-by-step picture guide for preliminary analysis and a checklist for assessing how far the product and service to be developed complies with the regulation’s requirements.