Privacy by Design and Default

What is Privacy by Design and Default? 

Privacy by Design means that the University needs to consider privacy at the initial design stages and throughout the complete development process of new products, processes or services that involve processing personal data. 

Privacy by Default means that when a system or service includes choices for the individual on how much personal data he/she shares with others, the default settings should be the most privacy friendly ones. This means the University needs to integrate data protection into our processing activities and business practices, from the design stage right through the lifecycle.

Articles 25(1) and 25(2) of the GDPR outline our obligations concerning data protection by design and by default.

Article 25(1) specifies the requirements for data protection by design: ‘Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the  determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.’

Article 25(2) specifies the requirements for data protection by default: ‘The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.’

Article 25(3) states that if NUI Galway adhere to an approved certification under Article 42, NUI Galway can use this as one way of demonstrating our compliance with these requirements.

NUI Galway must put in place appropriate technical and organisational measures designed to implement the data protection principles and safeguard individual rights.  

The key is that NUI Galway consider data protection issues from the start of any processing activity and adopt appropriate policies and measures that meet the requirements of data protection by design and by default.

How do data protection by design and by default link to data protection impact assessments (DPIAs)?

A DPIA is a tool that NUI Galway can use to identify and reduce the data protection risks of our processing activities. They can also help us to design more efficient and effective processes for handling personal data. DPIAs are an integral part of data protection by design and by default. For example, they can determine the type of technical and organisational measures NUI Galway need in order to ensure our processing complies with the data protection principles. However, a DPIA is only required in certain circumstances, such as where the processing is likely to result in a risk to rights and freedoms, though it is good practice to undertake a DPIA anyway. In contrast, data protection by design is a broader concept, as it applies organisationally and requires NUI Galway to take certain considerations even before NUI Galway decide whether our processing is likely to result in a high risk or not.

Some examples of how NUI Galway can do this include:

  • minimising the processing of personal data;
  • pseudonymising personal data as soon as possible;
  • ensuring transparency in respect of the functions and processing of personal data;
  • enabling individuals to monitor the processing; and
  • creating (and improving) security features.

Checklist for NUI Galway Units to consider:

☐ NUI Galway consider data protection issues as part of the design and implementation of systems, services, products and business practices.

☐ NUI Galway make data protection an essential component of the core functionality of our processing systems and services.

☐ NUI Galway anticipate risks and privacy-invasive events before they occur and take steps to prevent harm to individuals.

☐ NUI Galway only process the personal data that NUI Galway need for our purposes(s), and that NUI Galway only use the data for those purposes.

☐ NUI Galway ensure that personal data is automatically protected in any IT system, service, product, and/or business practice, so that individuals should not have to take any specific action to protect their privacy.

☐ NUI Galway provide the identity and contact information of those responsible for data protection both within our organisation and to individuals.

☐ NUI Galway adopt a ‘plain language’ policy for any public documents so that individuals easily understand what NUI Galway are doing with their personal data.

☐ NUI Galway provide individuals with tools so they can determine how NUI Galway are using their personal data, and whether our policies are being properly enforced.

☐ NUI Galway offer strong privacy defaults, user-friendly options and controls, and respect user preferences.

☐ NUI Galway only use data processors that provide sufficient guarantees of their technical and organisational measures for data protection by design.

☐ When NUI Galway use other systems, services or products in our processing activities, NUI Galway make sure that NUI Galway only use those whose designers and manufacturers take data protection issues into account.