Data protection form in the design phase
Are you designing a new product or service? Are you creating applications that process personal data? Or are you implementing a new IT system in your company? If so, remember to take care of personal data protection from the very first stage of your project.
Thanks to our solution you will not only meet the GDPR requirements, but also act in accordance with EDPB Guidelines 4/2019 of the European Data Protection Board (EDPB).
Data protection in the design phase and data protection by default (Data Protection by Design, Data Protection by Default – DPbDD) are mechanisms that enable data controllers to incorporate the principles of personal data protection and the exercise of the rights and freedoms of data subjects already at the planning and designing stage of processing activities. This applies to every aspect, from setting specifications of products or services, through their testing, maintenance, development, up to deletion.
The objective is to ensure data protection from the earliest stages of development of the designed process, eliminating the need to add safeguards later. Privacy should be an integral part of the designed product or service, and its protection must last throughout the entire lifecycle of the system, hardware, software or process – from concept development, through development, production, operation, maintenance, to decommissioning.
In accordance with the GDPR, controllers should implement appropriate technical and organizational measures before starting data processing in order to effectively apply data protection principles and provide processing with necessary safeguards.
The GDPR guidelines provide valuable guidance by transforming these mechanisms from general clauses into practical tools to support data controllers in:
- - the implementation of the rules on the processing of personal data (Article 5 of the GDPR),
- - protection of the rights of data subjects (Articles 12–22 of the GDPR),
- - protection of the freedoms of data subjects (the Charter of Fundamental Rights of the European Union).
To achieve the above objectives, controllers should apply a risk-based approach, which is common to Articles 24, 25, 32 and 35 of the GDPR. One should identify assets (natural persons through the protection of their personal data) and threats (the rights and freedoms of data subjects) and take into account existing processing conditions (the nature, scope, context and purposes of processing).
Personal data protection should be an integral part of every stage of designing products and services. Thanks to our tool, which is fully compliant with EDPB Guidelines 4/2019, controllers have access to practical solutions that help implement effective protective measures. Use our tool to meet GDPR requirements, protect the rights and freedoms of the data subjects whose data you process, and ensure data security from the very beginning of design.
Perform assessment
1Formal and legal analysis
Describe the planned process.
Describe in detail the processing activities that will be carried out within the design product, service or system.
Example The planned process involves processing personal data of mobile app users for content personalisation. Data will be collected during user registration (contact and demographic data) and while using the app (data on user behaviour). The process includes the following stages: data collection, storage in an encrypted database, analysis by an analytics team, sharing analysis results with the marketing team, and periodic deletion of outdated data.
Indicate the normal personal data that you will process in the design process.
Specify what ordinary personal data will be processed as part of the proposed process. Ordinary personal data is information that identifies or is likely to identify an individual, but does not fall into the category of sensitive data (e.g. data relating to health, racial origin, political opinions). Precisely defining the type of personal data allows for better risk management and ensures compliance with data protection legislation.
Example 1: In a website user registration project, data such as first name, surname, e-mail address, phone number and residential address will be processed.
Example two: In an online shop customer service process, personal data will be processed, including first name, surname, delivery address, contact phone number and e-mail address, necessary to fulfil orders and provide after-sales service.
Example 3: In an employee recruitment project, candidates' personal data will be processed, such as first name, surname, date of birth, e-mail address, phone number and data contained in the CV, e.g. employment history and education.
Indicate the specific categories of personal data that you will process in the design process.
Specify what special categories of personal data will be processed as part of the proposed process. Special categories of personal data include information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade union membership, genetic data, biometric data (to uniquely identify an individual), data concerning health, sexuality or sexual orientation. The processing of these data requires special attention and must comply with additional data protection rules.
Example 1: In a support programme for persons with disabilities, health data of participants will be processed, such as medical documentation and disability certificates, in order to tailor the form and scope of support to individual needs.
Example two: In an ethnographic research project, data concerning the racial and ethnic origin of participants will be collected and processed to better understand cultural diversity and its impact on local communities.
Example 3: In an advisory services project for LGBT+ persons, data concerning sexual orientation of participants will be processed in order to offer adequate support and advice tailored to their specific needs.
Indicate the objectives that you will achieve in connection with the design process.
Indicate (preferably in points) all the processing purposes you intend to pursue in the designed process (you may be assisted by a process description). Identifying precise data processing objectives before starting the actual activities enables you to define the personal data needed accurately and to adjust the structure of the project accordingly. Each new purpose must be consistent with the original intention and make changes to the project in a way that is consistent with what was previously intended.
Example An online sales company intends to use its customers' purchase data to analyse purchasing trends. Before starting the project, it specifies that the data will be used exclusively for internal business analysis. Any extension of purposes, e.g. using data for marketing campaigns, is carefully assessed for compliance with the original purpose and personal data protection regulations.
Verify that any purpose for which you designate the processing has a legal basis for the processing of personal data.
Verify that each of the purposes for processing personal data you have identified has an appropriate legal basis. Each purpose must comply with applicable data protection legislation and be based on one of the lawful grounds for processing, such as consent of the data subject, performance of a contract, fulfilment of a legal obligation, protection of vital interests, performance of a task carried out in the public interest or in the exercise of official authority, or the legitimate interest of the controller.
Example 1: A marketing company intends to process customers' contact data to send newsletters. Before starting operations, the company checks whether it has the customers' explicit consent to use their data for this purpose. If consent has been obtained, the company has a lawful basis for processing this data.
Example two: An online product sales company wants to store its customers' data to fulfil orders and provide after-sales service. The company verifies that processing data for this purpose is necessary for the performance of a contract, which constitutes a lawful basis for processing personal data under applicable regulations.
Examples of penalties for infringement of this requirement:
Example 1: A penalty of PLN 10000 imposed on the Capital Centre for Persons with Disabilities, inter alia for processing personal data without a legal basis by recording and storing sound (voice) in a monitoring system installed at the Centre.
Example 2: A penalty of PLN 100000 imposed on the country's Chief Geodet, inter alia for making personal data available on the "GEOPORTAL2" portal without a legal basis, concerning land register numbers obtained from the land and buildings register.
Find out how you will fulfill your obligation to provide information to the people whose data you will process.
Verify how you plan to comply with the information obligation (Article 13 RODO). This is because you are obliged to inform the person whose data you are processing about your identity, the purposes and means of the processing, the rights of the persons, the recipients of the data, the storage periods or the possible transfer of the data outside the EU/EEA. This information must be provided in a concise, transparent and comprehensible manner at the time of data acquisition.
Example 1: The privacy notice is made available before registration or placing an order. The user receives information about the identity of the controller, purposes of processing, legal bases, recipients of data and the rights of data subjects.
Example two: Providing written information on paper or electronically when collecting personal data, e.g. before signing a contract or registering. The document contains all required information in accordance with Article 13 GDPR.
Example 3: Placing a pictogram informing about video monitoring on the building together with a layered information obligation. The first layer provides basic information, while further details are available on paper or electronically.
Examples of penalties for infringement of this requirement:
The penalty of PLN 943470 imposed on Bisnode Polska sp. z.o.o. inter alia for failure to provide information referred to in Article 14(1) and (2) GDPR to all natural persons whose personal data X Sp. z o.o. processes, who currently run or have run a sole proprietorship in the past, and natural persons who have suspended that activity.
Assess whether personal data will be processed in accordance with the principle of minimisation.
Determine that you only process personal data that is necessary, relevant and appropriate to the process. This means keeping the amount of information you collect to a minimum and only processing personal data when it is absolutely necessary and the purpose cannot be achieved by other means.
Example 1: A bookshop plans to increase online sales by creating two different order forms: one with a field for the customer's address for shipping physical books, and another without an address field for ordering e-books. This way it collects only the data necessary to fulfil the order.
Example two: A courier company wants to assess delivery efficiency, work schedules and fuel consumption. However, to minimise risks related to monitoring employees and customer preferences, the company decides to pseudonymise employee and customer data. This allows analysis goals to be achieved without processing personal data in a way that enables direct identification of individuals.
Examples of penalties for infringement of this requirement:
In 2020, H&M was fined €35.3 million by the German Commissioner for Data Protection and Freedom of Information in Hamburg (HmbBfDI) for collecting excessive and unnecessary information about employees. H&M monitored and recorded details of employees' private lives, including details of illnesses, religions and families, in breach of the principle of data minimisation (Article 5(1)(c) RODO), which requires personal data to be adequate, relevant and limited to what is necessary in relation to the purposes for which it is processed.
Estimate how long the data will be processed.
You may only retain personal data for as long as necessary to fulfil the purposes of the processing. You should implement procedures for deleting or anonymising data and appoint a person responsible for monitoring and actually deleting the data. The retention period must be justified in the context of the purpose of the processing and based on an appropriate legal basis.
Example The purpose of processing is managing the membership of data subjects. After membership ends, personal data is deleted because there is no legal basis for further storage. The controller has a data deletion procedure and implements an automatic deletion system.
Examples of penalties for infringement of this requirement:
In December 2019, the German data protection supervisory authority (Bundesbeauftragte für den Datenschutz und die Informationsfreiheit, BfDI) imposed a fine of €9.55 million on 1&1 Telecom GmbH. The fine was imposed for violating the principle of data retention, as the company stored customer data for longer than necessary for the purposes for which the data was collected.
Assess whether the data is correct and updated if necessary.
Before processing personal data, verify the sources of the data and confirm their accuracy through appropriate technological and organisational solutions to correct any errors.
Example 1: An insurance company plans to use artificial intelligence (AI) to assess insurance risk. Before deploying the system, the company carefully checks the reliability of the AI and ensures that results are non-discriminatory. Decisions are not made solely on the basis of AI unless the process is fully automated and compliant with the law.
Example two: A public health institution, ensuring the integrity of personal data in patient records, uses hashing techniques and cryptographic timestamps. These technologies enable tracking of changes in data, allowing identification, linking and monitoring of any modifications when needed.
Determine whether you are willing to exercise the rights of data subjects.
Check that you have a procedure for the exercise of the rights of data subjects. Such a document explains how to deal with requests made by these individuals and how to exercise their rights as set out in Articles 15-22 of the DPA, such as the rights of access, rectification, erasure, restriction of processing, portability, objection and no decision based on automated processing.
The persons whose data are processed may ask you to exercise their rights.In each case, you must assess the intentions of the applicant, taking into account the specific circumstances.
Example A request from a data subject to delete their personal data processed by an online shop.
Examples of penalties for infringement of this requirement:
The penalty of PLN 2,015,595 imposed on ClickQuickNow sp. z o.o., inter alia for failure to implement appropriate technical and organisational measures enabling the data subject to exercise the right to request erasure of their personal data without undue delay (right to be forgotten).
Assess the principles on which you cooperate with processors.
In the draft process, you may delegate some or all personal data operations, such as storage, analysis or marketing activities, to processors. This requires the conclusion of a processing entrustment agreement, which sets out the conditions and scope of the processing and guarantees adequate protection of personal data.
Example Outsourcing companies handling customer service or IT services, accounting offices or audit firms that may process customers' financial data, call centres
Examples of penalties for infringement of this requirement:
Example 1: A penalty of PLN 4911732 imposed on Fortum Marketing and Sales Polska S.A., inter alia for failure to verify whether the processor provides sufficient guarantees of implementing appropriate technical and organisational measures so that processing meets GDPR requirements and protects the rights of data subjects.
Example 2: A fine of PLN 10000 imposed on the National School of Justice and Public Prosecution, inter alia for entrusting the processing of personal data to company e Sp. z o.o. in breach of Article 28(3) GDPR, i.e. without a contractual obligation on the processor to process personal data only on documented instructions from the controller, and without specifying in the processing agreement the categories of persons and without clarifying the type of data.
Example 3: A penalty of PLN 33012 imposed on a K.P. operating under a company (...) in S, inter alia for concluding an agreement with a processor that did not contain all elements specified in Article 28(3) GDPR.
Example 4: A penalty of PLN 155628 imposed on the Housing Community in S, inter alia for a housing community entrusting the processing of its members' personal data without a written processing agreement and without verifying the processor.
Determine whether personal data are transferred to a third country or to an international organisation.
Evaluate whether the planned process envisages the transfer of personal data to third countries or international organisations. You should ensure that your data is protected, regardless of where it is processed, to prevent potential privacy and security risks. The transfer of data to third countries or international organisations is only permitted if the conditions of the RODO are met, including onward transfers.
Example 1: Transfer of personal data to companies located outside the EU for cloud services or data hosting.
Example two: Sharing personal data with business partners or service providers based outside the EEA who support marketing activities or customer service.
Example 3: Sending personal data to branches, subsidiaries or representative offices of companies outside the EEA for personnel management or internal communication purposes.
2Identification of threats
Threat
?
A threat is an event whose consequences negatively affect the confidentiality, integrity and availability of processed personal data.
Source
?
A source is the direction from which you expect a threat. It may be an employee of your organisation (internal source) or a hacker (external source). If you expect a threat from both directions, indicate a mixed source.
3Identification of collateral
Technical safeguards
Describe what technical data protection measures you use (e.g. data encryption, 2FA mechanism, backup, visual monitoring, antivirus).
Description of the organisational security
Describe what organizational data protection measures you use (e.g. staff training, data processing authorisation, relevant data processing policies and procedures, contractual records).
4Identification of vulnerability
Indicate gaps, shortcomings and other factors that may materialise (e.g. lack of hard disk encryption, lack of staff training, lack of backups, monitors facing third parties visiting the organisation). If the acceptable risk level is exceeded, identified vulnerabilities will form the basis for issuing recommendations.
Indicate the vulnerability that could lead to the materialisation of threat no. 1
Indicate gaps, shortcomings and other factors that may materialise (e.g. lack of hard disk encryption, lack of staff training, lack of backups, monitors facing third parties visiting the organisation). If the acceptable risk level is exceeded, identified vulnerabilities will form the basis for issuing recommendations.
5Risk assessment
LEGEND
Based on the following legend, estimate the likelihood of a threat:
(1) low probability the materialization of the risk due to the exploitation of the vulnerability of the resources involved in processing operations does not appear to be possible for the sources of risk selected;
(2) average probability the materialization of a risk due to the exploitation of the vulnerability of the resources involved in processing operations is difficult for the sources of risk selected;
(3) high probability the materialization of a risk related to the exploitation of the vulnerability of the resources involved in processing operations appears to be possible for the sources of risk selected;
(4) very high probability the materialization of the risk due to the exploitation of the vulnerability of the resources involved in processing operations seems extremely easy for the sources of risk selected.
Based on the following legend, assess the impact of the threat to the rights and freedoms of data subjects:
(1) low impact data subjects will not be affected by the effects of the infringement or will encounter minor inconveniences that they overcome without the slightest problems (time required to re-enter data, impatience, irritation, etc.);
(2) average effects data subjects may experience significant discomfort which they will be able to overcome despite certain difficulties (additional costs, fear, misunderstanding, stress, minor physical injury, etc.);
(3) high impact – data subjects may encounter significant inconvenience that they should be able to overcome, but with serious difficulty (financial fraud, being listed as unsupported customers at banks, property damage, loss of employment, lawsuits, deteriorated health, etc.);
(4) very high impacts data subjects may face significant or even irreversible consequences which they may not overcome (financial difficulties resulting, for example, from unpaid debt or incapacity to work, long-term psychological or physical injury, death, etc.).
Threat
?
List of threats defined in previous sections.
No data
Probability
Select
Impacts
Select
Risk
Low
6Planned response to risk
Indicate how you intend to handle the identified risk
Threat
?
A threat appears here after you enter it in the threat identification section above.
No data
Risk
Low
How to deal with risk
Select risk treatment
Recommendations
Disclaimer
In order to have a meaningful data protection outcome in the design phase, all fields of the form should be completed. Each aspect regarding compliance and security of personal data should be analysed on a case-by-case basis, in particular with regard to the implementation of the obligations set out in Article 25 RODO. Therefore, this form can be at most an auxiliary tool and cannot be an independent basis for decision-making by any entity or person, who use the form at their own risk. ODO 24 sp. z o.o. shall not be liable to any entity or person for any direct or indirect consequences of the use of the form, in particular in the form of damages, obligation to pay compensation or reparation, administrative penalties imposed, loss of benefits or other negative consequences.
