Privacy by Design Policy
Privacy by Design Policy
Introduction and Scope
This policy is for employees, workers and contractors of UseINBOX (“the Company”).
When processing personal data (defined below), Art 25 of the General Data Protection Regulation
(“GDPR”) obliges the Company to (taking into consideration the nature of the processing, risks to
individuals and costs etc,) implement appropriate technical and organisational measures, such as
pseudonymisation, into such processing activities in order to meet the requirements of GDPR
(including the processing principles) and protect the rights of the data subjects concerned. What are
‘appropriate measures’ may well change from one processing activity to the other and it is important
that such measures are given consideration at the start of, and throughout, the life-cycle of the
Company’s processing of personal data. This obligation is referred to as ‘Privacy by Design’.
As a minimum, such measures must ensure that only personal data which are necessary for each
specific purpose of the processing are processed and that the personal data is not made available
to an indefinite amount of individuals without the data subject’s involvement (“Privacy by Default”).
This Policy provides guidance on the Company’s approach to ensuring that it embeds privacy by
design and privacy by default across the Company’s operations.
In the event the ICO finds that the Company has not met its obligations in relation to Privacy by
Design and Default, the Information Commissioner’s Office could potentially impose a monetary
penalty of the higher of 2% of the Company’s annual turnover or €10M. It is therefore important
that all staff understand and implement this Policy. If you have any questions, please contact the
Company’s Support Team at [email protected] .
The following definitions apply to this Policy:
Personal Data: means any information relating to an identified or identifiable natural person (‘data
subject’); an identifiable natural person is one who can be identified, directly or indirectly, in
particular by reference to an identifier such as a name, an identification number, location data, an
online identifier or to one or more factors specific to the physical, physiological, genetic, mental,
economic, cultural or social identity of that natural person.
Special Category of Personal Data: means personal data revealing racial or ethnic origin,
political opinions, religious or philosophical beliefs, or trade union membership, and the processing
of genetic data, biometric data for the purpose of uniquely identifying a natural person, data
concerning health or data concerning a natural person’s sex life or sexual orientation.
Criminal Conviction Data: The rules for special category personal data do not apply to
information about criminal allegations, proceedings or convictions. Instead, there are separate
safeguards for personal data relating to criminal convictions and offences, or related security
measures. In order to process criminal conviction data we must either:
process the data in an official capacity; or
meet a specific condition in Schedule 1 of the Data Protection Act 2018, and comply with the additional safeguards set out in that Act.
For the purpose of this policy, when we are referring to ‘personal data’, we are referring to Personal
Data and Special Categories of Personal Data collectively.
Data Protection Impact Assessment (DPIA): an assessment of the impact of the envisaged
processing operations on the protection of personal data as referred to under Art 35 of GDPR;
Processing Principles: means the processing principles set out in Art 5 of GDPR and as attached
as an Appendix to this Policy.
Where law or regulatory policy has changed since this Policy was written, those changes shall take
precedence and this Policy will be interpreted in the light of changes.
This Policy should be considered in conjunction with the guidance and forms for undertaking a DPIA,
which are available on the Company’s intranet page for Data Protection..
A Data Protection Impact Assessment (DPIA) should be carried out where there is a high risk to
individuals. This may be as part of the initial phase of a project or when an existing project is being
reviewed. The DPIA should assess the risks to privacy and apply mitigation.
Privacy by Design – General Principles
The principles of ‘Privacy by Design’ can be summarised as:
Use proactive rather than reactive measures. Anticipate, identify and prevent privacy invasive events before they happen.
Privacy should be the default position. Personal data must be automatically
protected in any system of business practice, with no action required by the
individual to protect their privacy
Privacy must be embedded and integrated into the design of systems and
All legitimate interests and objectives are accommodated in a positive-sum
manner. Both privacy and security are important, and no unnecessary trade-offs
need to be made to achieve both.
Security should be end-to-end throughout the entire lifecycle of the data. Data
should be securely retained as needed and destroyed when no longer needed.
Visibility and transparency are maintained. Stakeholders should be assured that
business practices and technologies are operating according to objectives and
subject to independent verification.
Respect user privacy by keeping the interests of the individual uppermost with
strong privacy defaults, appropriate notice and user friendly options.
Technical and Organisational Measures
The Company’s aim is to implement appropriate technical and organisational measures which are
to implement the Data Protection Principles in an effective manner, and
to integrate into the processing of personal data the safeguards necessary for that purpose.
This Policy applies at the time of determining the means of processing, and at the time of actually
processing the personal data.
In doing so, the Company will take into account the available technical and organisational measures,
the cost of implementation and the nature, scope, context and purposes of processing of personal
data, as well as the risks of varying likelihood and severity for rights and freedoms of individuals
presented by the processing of their personal data.
If it is considered that the processing presents a high risk to individuals, a DPIA must be carried
out in accordance with the Company’s procedures found on the Data Protection intranet page.
Privacy By Default
The Company’s aim is that appropriate technical and organisational measures will be applied to
ensure that, by default, only the personal data which is necessary for each specific purpose of
processing of personal data is used, in relation to:
the amount of personal data collected;
the extent of processing that personal data;
the period of its storage; and
The Company’s aim is that by default personal data should be restricted to those who have a
business need to know.
Data Protection by Design
The Company’s aim is that when considering a proposal for a particular type of processing of
personal data, the impact of this on the individuals affected should be considered, and that
appropriate technical and organisational measures should be put into place to ensure that:
(a) the Data Protection Principles are implemented; and
(b) any risks to individuals’ rights and freedoms are minimised.
Vigilance by staff should be exercised continually to ensure the security of Company systems and
personal data, e.g. against attempts to trick individuals into revealing their log-in details; and to
avoid risks of personal data breaches arising from mobile devices and remote log-ins. Staff should
avoid downloading, working with or storing identifiable personal data wherever possible, and only
undertake these activities in compliance with appropriate Company guidance and policies.
Anonymised or partly/reversibly anonymised data should be used wherever possible.
When buying systems/software which involve personal data, or considering transfers/sharing of
personal data including using the “cloud”, staff must evaluate the privacy and security of alternative
solutions and vendors/partners. The use of such systems/software should to the maximum extent
possible avoid personal data being involved or put at risk of a data breach. Personal data should
only be placed on systems, devices or software where this is compliant with Company policies and
the legislation. The use, and duration of holding, of personal data should be minimised.
More info at [email protected] .