Under the Data Protection Act 2019 companies are now required to adopt privacy by design as a mode of business. This can be accomplished through the adoption of appropriate technical and organisational measures designed:
- to implement the data protection principles in an effective manner; and
- to integrate necessary safeguards into the company processing operations.
Companies are required to implement appropriate technical and organizational measures for ensuring that, by default, only personal data which is necessary for each specific purpose is processed, taking into consideration:
- the amount of personal data collected;
- the extent of processing;
- the period of storage;
- its accessibility; and
- the cost of processing data and the technologies and tools used.
To give effect to this section, companies are required to consider measures such as:
- to identify reasonably foreseeable internal and external risks to personal data under the company’s possession or control. This can be done through a data protection audit or impact assessment;
- to establish and maintain appropriate safeguards against identified risks;
- adopt measures such as the pseudonymisation and encryption of personal data;
- adequate backup measures that restore the availability and access to personal data in a timely manner in the event of a physical or technical incident;
- to verify that the company safeguards are effectively implemented; and
- to ensure that the safeguards are continually updated in response to new risks or deficiencies.