Every day a data protection officer wakes up – they know they must outrun the changes that regulatory evolution, IT innovation and artificial intelligence impose to corporations’ privacy policies. This is how we could paraphrase article 25 of EU Regulation 2016/679, also known as privacy by design and/or privacy by default. The principle underlying privacy by design is to protect the rights and freedoms of the subjects involved. With regards to the processing of personal data, it implements certain technical and organisational measures, both when projecting and when executing the handling of data, so as to comply with the provisions of the above mentioned EU Regulation.
Compulsory privacy by design for all enterprises
The expressions privacy by design and privacy by default refer to well-known regulations, but also to less familiar principles. The reason for this is the grey area of the norm contained in art. 25.
The concept of privacy by design, explained
Not only do data protection officers, and therefore enterprises, have to apply rules, but they also need to develop a mental habit of correct data handling and protection. A continuous attention and compliance to rules is required at all times in regards to data projection, operations, and all activities that involve their handling.
Continuous privacy handling
Ultimately, it is not sufficient to just identify a data protection officer (DPO), a data controller, etc. The business owner, and the data controller on his behalf, will have to comply with the daily necessity to protect those sensitive data in their possession. Such a necessity is very likely to emerge, for example, when dealing with smart working. As a matter of fact, what privacy by design means is an organisation model, a data handling system – not an abstract concept, but a systematic and standardised architecture that leaves no space for temporary discretion, availability, good will or events. In conclusion, privacy by design is a modus operandi, an automatic system of data protection within an organisation.
The role of the data protection expert and how it benefits the business
The need for a change in the approach to personal data protection and the insight on privacy by design best practices is not only felt by enterprises, but also by experts in GDPR compliance and privacy. In short, professionals supporting businesses in the development of a sensitive data protection and handling system – for instance, in the field of IT and hacker attacks defence – need to invest on the acquisition and continuous updating of the concept of privacy by design and by default.
Sectors of investment in privacy by design, by default and in need of continuous updating
These are some of the possible actions to be taken in order to implement a standardized data handling project:
- identifying areas in need of new skills or updating;
- identifying subjects whereby to act independently, or about which to follow courses and seminars;
- analysing and selecting sources of knowledge updating, such as websites, online magazines, juridical data banks, etc.;
- implementing a calendar and a timetable for research and collection of external documents;
- implementing an archive by categories and tags to classify the digital version of internal and external documents used for updating;
- programming regular conformity, functioning and security checks of the data storage system, as well as regular revisions of the general settings and functioning of the data protection system
In conclusion: in this field, as in others, it is not advisable to leave anything to chance – especially when it comes to the effort and the education required to effectively manage the handling and management of GDPR, Sensitive data projection, Byod policies systems and to identify the DPO’s role and tasks within the company.
From our side, Damiani & Damiani Law Firm has always risen up to the challenge posed by the continuous knowledge that a discipline such as data projection requires.