Last year, I was invited to give a talk “on GDPR” to NISO, an organisation that develops standards for managing digital information. While most of my thinking and writing has looked at applying data protection law to existing systems, this seemed like a good opportunity to think about how you might use it at an earlier stage, when designing a protocol, system or software. Flipping the usual phrase, rather than “data protection by design”, can we do “design by data protection”?
The resulting ten-minute talk got a good response from both the conference audience and organisers; and an offer to publish a paper if I would like to write an expanded version of the ideas. The result – “Thinking with GDPR: A guide to better system design” – has now been published.
It starts by pointing out three common, but false, assumptions about the law: that it’s about preventing processing of personal data, that it’s most relevant to individuals, and that it’s mainly about consent. Then moves on to how organisations can use the law – in particular the Principles, Lawful Bases and Individual Rights – to design their systems, demonstrate accountability in their approach to personal data, and build trust. Then gives three practical examples – student voter registration, federated access management, and data analytics – of how Jisc and the wider research network community are using the approach to design and develop systems that are innovative and world-leading both in the functions they provide and in their built-in respect for personal data.