PRIVACY BY DESIGN AND DEFAULT
GDPR introduces the concepts of “data protection by design and by default”.
Privacy by design requires taking data protection risks into account throughout the process of designing a new process, product or service, rather than treating it as an afterthought. This means assessing carefully and implementing appropriate technical and organisational measures and procedures from the outset to ensure that processing complies with GDPR and protects the rights of the data subjects.
Privacy by default requires ensuring mechanisms are in place within the organisation to ensure that, by default, only personal data which are necessary for each specific purpose are processed. This obligation includes ensuring that only the minimum amount of personal data is collected and processed for a specific purpose; the extent of processing is limited to that necessary for each purpose; the data is stored no longer than is necessary and access is restricted to that necessary for each purpose.
Organisations should be introducing these concepts without delay.