Data protection by design and default

Taking into account available technology, the cost of implementation of it and the nature, scope, context and purposes of the processing as well as the privacy risks to individuals, we must, both at the time we decide how to process personal data and at the time of the processing itself, implement appropriate technical and organisational measures (such as pseudonymisation) so as to minimise the amount of personal data processed in order to protect the privacy of individuals.

We must also implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose of the processing activity are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.

For any new projects that involve the processing of personal data the advice of the data protection officer must be sought, no later than the commencement of the project planning stage, so that the above principles can be put built in at the earliest opportunity.