Data protection by design consists of looking at the lifecycle of personal data flows and at each stage assess how the principles of data protection laid in the GDPR (Article 5) are met to protect the fundamental rights of people (including privacy, but also others cf Article 1.2). The principles in Article 5 are backed by a number of related Articles in the GDPR.
Data protection is not just about security. Security relates to Article 5.1.f. There are 5 other principles related to data processing and one related to the ability to demonstrate compliance with these 6 principles.
If you are not very cautious, a technical infrastructure choice can have unpredicted consequences. The complexity and a small number of people being able to understand it can have serious consequences later:
The architecture of the solution should aim at keeping things simple, not just for the user but also for the business end to end. It includes ensuring the rights of people won't be impacted.
Using dozens of technologies in a semi integrated way is cool, but it opens more doors to hackers, makes penetration testing more difficult and costs more to mitigate.
Data protection by design, data protection impact assessments and the 'Corporate DPIA' (Art 30 + in-depth risk assessment) are closely related. Context matters!
Sometimes, it may even be wise to ditch some projects before it is too late.
A wise approach is to remember the old saying "If you can't protect it, don't do it...". After all, GDPR is primarily a data protection law (why do you think it is called General Data Protection Regulation?).
Claude Saulnier - CDPO CIPP/E B-Eng
Brand Ambassador - Bizoneo
Bizoneo offers data protection by design assistance read more.