Privacy by Default

Data protection by default is the principle according to which an organisation (the data controller) ensures that only data strictly necessary for each specific purpose of the processing are processed by default (without the intervention of the user). To ensure that this key principle of the General Data Protection Regulation is applied in practice, the EDPS will issue guidance documents.

Privacy by Default means that once a product or service has been released to the public, the strictest privacy settings should apply by default, without any manual input from the end-user. In addition, any personal data provided by the user to enable a product's optimal use should only be kept for the amount of time necessary to provide the product or service. If more information than necessary to provide the service is disclosed, then "privacy by default" has been breached.

EU Privacy Law and GDPR Compliance Consulting

Privacy by Default: The social network example

Online social networks like Facebook are one of the best examples to illustrate Privacy by Default.

Imagine you have a social network account and you want to use one of its services. The social network and its services say they are compliant with the Privacy by Default Principles. To function correctly, the service only needs your name and email address.

It is not necessary for the service to publish your age, friends, location, etc. without your consent. If the service is compliant with the Privacy by Default Principle, it will only share your name and email address. All other PII will not be shared without the user’s consent.

If the social network service does share this PII, it is a serious breach of the Privacy by Default Principle, and it is not compliant with the Privacy by Default or Privacy by Design Principles.

To ensure this breach will never take place, the DevOps team should establish that in the service’s software, only the client’s name and email address should be accessible for third parties. And this should be a distinct user story—so every member of the DevOps team should have notice of this before going live.

Website GDPR compliance isn’t a simple matter, but by taking these steps, you’ll move substantially in the right direction. If you’re website uses a Content Management System, CMS you will need to monitor for changes to the software and plugins to help you reach full compliance. In the meantime, it’s up to you to take the necessary steps to get as close as possible. That's where we can help you attain fully compliant website GDPR for your online business. Call us today to get started: +44 (0) 20 8207 5485.