EPDB guidelines: Data Protection by Design and by Default
How familiar are you with the obligations in the GDPR to protect personal data by design and default (DPbDD)? And what practical measures can you take to help ensure compliance?
The key takeawayData protection by design needs to be implemented both at the time of determining the means of the processing and at the time of processing itself. The latter means that an assessment of the effectiveness of the chosen measures and safeguards must take place on an ongoing basis. Implementing technical and organisational measures by default means only processing personal data which is necessary for each specific purpose.
The background
Article 25 GDPR specifies that data controllers must:
- Art 25(1): “taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing…both at the time of the determination of the means of the processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement the data protection principles, such as data minimisation..”
- Art 25(2): “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
The guidance
Data protection by design
According to the EPDB guidelines, data controllers should use measures designed to implement data protection principles:
- at the time when the data processing is being planned – by considering the concrete elements of the design including architectures, procedures, protocols and layouts
- when the data is actually being processed – by implementing appropriate safeguards
- on an ongoing basis – by continuing to re-assess and consider the safeguards in place.
- include in their contracts with technology providers a requirement to notify the controller of any changes to the ‘state of the art’ which may impact the effectiveness of the measures being currently deployed
- require their providers to demonstrate accountability on how they are complying with DPbDD (eg through key performance indicators) and to push for transparency (eg through certification or via guarantees that they are DPbDD compliant)
- consider the costs in terms of money and economic advantage, plus time and human resources – and weigh up the potential cost of fines as a result of non-compliance
- mitigate risk when observing data protection by design, by carrying out Data Protection Risk Assessments (DPIAs).
The EPDB guidance explains that data controllers must implement appropriate technical and organisational measures by default and that this means taking the principle of data minimisation into account when configuring systems and processes. Default settings should process as little data as possible to achieve the purpose. This may mean turning off parts of an off-the-shelf software product if certain functionalities are not necessary to achieve the purpose. Equally, it may mean that data is anonymised or deleted if it is not needed after it has been processed. Access should also only be granted to those who need it when necessary.
Why is this important?
The EPDB stresses the “crucial part” DPbDD plays in protecting privacy and stresses the use of effective compliant technologies.
Any practical tips?
Review your processes and systems in line with the EPDB’s new guidance and consider what you can do to reinforce your policies and procedures to bring them in line with DPbDD. Also, review your contracts with existing third-party service providers (noting any terms that might need updating on renegotiation). Finally, don’t forget the importance of DPIAs!