Organisations i.e. data fiduciaries have to prepare a privacy by design policy (“the policy”) for a system-wide approach to data protection under the PDPB 2019.
Contents of the policy
- the managerial, organisational, business practices and technical systems designed to anticipate, identify and avoid harm to the data principal;
- the obligations of data fiduciaries;
- the technology used in the processing of personal data is in accordance with commercially accepted or certified standards;
- the legitimate interests of businesses including any innovation is achieved without compromising privacy interests;
- the protection of privacy throughout processing from the point of collection to deletion of personal data;
- the processing of personal data in a transparent manner; and
- the interest of the data principal is accounted for at every stage of processing of personal data.
Comparison with PDPB 2018
Unlike the PDPB 2018, the PDPB 2019 requires the data fiduciaries to submit their privacy by design policy to the Authority for certification. Also, such certified privacy by design policy must be published on the website of concerned data fiduciary and the Authority.
Comparison with GDPR
Under PDPB 2019 the privacy by design requirements appear to be aimed in particular at the development of policies and documentation, whereas the GDPR accords the controllers (data fiduciaries) with greater flexibility in how they will implement the requirements.