December 22, 2017 Blogby Corné van Rooij

Privacy by design: Data protection starts in the whiteboard phase – Part 6 of 9

This is the sixth blog topic about the impact of the General Data Protection Regulation (GDPR) on Consumer IAM projects. This blog is part of a series that touches on important topics for IAM experts who have an interest in the new EU regulations. This week’s topic is about ‘privacy by design’ – resulting in default protection of personal data.

Data protection starts in the whiteboard phase

Privacy by design: Data protection starts in the whiteboard phase - iWelcome GDPRDoing business online requires a precise approach as you want customers to have a smooth and comfortable journey, ultimately leading to more sales and customer satisfaction. Well… Let’s say the GDPR adds another requirement to your list: protection of your customers’ data and privacy must be a top priority from the first whiteboard session onwards, known as ‘Data protection by design’ (also referred to as ‘privacy by design’).

In short, this means that organisations are obliged to take into account data privacy from the functional design stage onwards. Newly designed online services must be compliant with the principles of the GDPR from scratch.

The ultimate aim of the ‘data protection by design’ rules in the GDPR is to ensure that, when developing a product or service, appropriate technical and organisational measures are implemented to ensure data protection in line with the GDPR. In other words: doors to personal data that are supposed to be closed according to GDPR, should stay closed because the product or service via which it was gathered was designed that way. This entails strict access control.


New call-to-action

Start with awareness

Make sure that everyone involved in the development of a product or service is fully aware of the “privacy by design” requirement and, where possible, implements technical and organisational measures to increase privacy. An example of such measures are pseudonymisation and encryption of personal data, but also internal privacy policies.
Also, check your existing products and services to see if changes are necessary. As you can imagine, for existing services the results of such a check may lead to redesigns and software modifications. This can be quite an expensive undertaking.


Another requirement: data minimisation

An important requirement that is introduced with this theme is ‘data minimisation’: only the personal data necessary for the indicated purpose should be processed and this principle should be embedded in the design of the product or service. In practice, this means that online retailers, for example, may not store your phone number if they do not require it for a specified purpose. If they do want to obtain and store this piece of information, they must ask the data prospect (i.e. the customer) for specific consent. Using consent given earlier for further processing is permitted, as long as it is for ‘compatible’ reasons (e.g. used for the same purpose as it had been originally collected for). And if a user is asked to provide data that is not necessary for delivering the product or service, then that can no longer be a mandatory field. Moreover, companies need to make clear what the impact is for filling in that field and mention the specific purpose of the processing of these data (as this is a requirement for getting consent).


Use common sense when handling personal data

Privacy by design: Data protection starts in the whiteboard phase - iWelcome GDPRLuckily, your organisation is not alone in this as the new rules apply to everyone handling customer data. Moreover, the European legislators feel that the requirements are more or less ‘common sense’ to organisations that are committed to customer friendliness and privacy protection. And quite frankly: I agree with them.

This also holds if you look at the current state of affairs: some organisations have been compliant with these requirements from the start. However, if you still have some work to do please realise that the GDPR rules are in no way optional. On the contrary: you must act now to avoid enormous fines!

Next time, we will cover the right to erasure (also referred to: the right to be forgotten) under the new GDPR legislation which will be a tough cookie to crack for many organisations.

The GDPR in all official European languages can be found here:

In a series of 9 blogs, we will dive deeper into the specific parts of the GDPR and their effect on IAM. 

  1. Why IAM will never be the same.
  2. When should consent be requested?
  3. Why transparency is key to building trust.
  4. Strict regulation of automated individual decision making.
  5. What is sensitive personal data?
  6. Privacy by Design & Data protection by Design.
  7. Special rights for the individual like “right to be forgotten”
  8. Data breach communication.
  9. Children's privacy under GDPR.

Feel free to repost this blog on your website! But when you do so, please be so kind to mention the source and give us a notice via

Corné van Rooij

Corné van Rooij VP Product & Strategic Alliances at iWelcome and IAM GDPR Specialist

VP Product & Strategic Alliances at iWelcome

Corné has been working in the security market for more than 20 years of which the last 15 years at two well known Identity Management Vendors.