GDPR Data Governance by Design and by Default

As we all know GDPR going to effect from 25 May 2018 and under the GDPR, you need to implement technical and organizational measures to insure that you have considered and integrated data protection into your processing activities.

Privacy by design has always been an implicit requirement of data protection.

The General Data Protection Regulation associates the data protection by design to the “data protection by default” principle.

Data protection impact assessments

What information should the DPIA contain?

Data protection officers
 At a glance

What does the GDPR say about employer duties?

You must ensure that:

Can we allocate the role of DPO to an existing employee?

Yes. As long as the professional duties of the employee are compatible with the duties of the DPO and do not lead to a conflict of interests.

You can also contract out the role of DPO externally.

Does the data protection officer need specific qualifications?

DPO must have professional experience and knowledge of data protection las. However, the GDPR does not specify the precise credentials a data protection officer is expected to have.

Codes of conduct and certification
At a glance

What will codes of conduct address?

Codes of conduct should help you comply with the law, and may cover topics such as:


The GDPR requires personal data to be processed in a manner that ensures its security. This includes protection of data against unauthorized or unlawful processing and against accidental loss, destruction or damage. It requires that appropriate technical or organizational measures are used to protect person data.

International transfers
At a glance

The GDPR imposes restrictions on the transfer of personal data outside the European Union, to third countries or international organizations.

These restrictions are in place to ensure that the level of protection of individuals afforded by the GDPR is not undermined.

Data breaches
At a glance

What should I do to prepare for breach reporting?

First you have to make sure that your staff understands what constitutes a data breach, and that this must.

Also, you should ensure that you have an internal breach reporting procedure is in place. This will facilitate decision-making about whether you need to notify the relevant supervisory authority or the public.

In light of the tight timescales for reporting a breach – it is important to have robust breach detection, investigation and internal reporting procedures in place.


To assist organization’s in applying the requirements of the GDPR in different contexts, we are working to produce guidance in a number of areas. For example, children’s data, CCTV, big data, etc.

This section will expand when our work on this guidance is complete.

For More:

Things You Should Know About Governance and Management System for GDPR Compliance

Leave a Comment

13 − seven =