Reflection of surrounding buildings on RPC's building.

EPDB guidelines: Data Protection by Design and by Default

Published on 02 June 2020

How familiar are you with the obligations in the GDPR to protect personal data by design and default (DPbDD)? And what practical measures can you take to help ensure compliance?

The key takeaway

Data protection by design needs to be implemented both at the time of determining the means of the processing and at the time of processing itself. The latter means that an assessment of the effectiveness of the chosen measures and safeguards must take place on an ongoing basis. Implementing technical and organisational measures by default means only processing personal data which is necessary for each specific purpose.

The background

Article 25 GDPR specifies that data controllers must: 

  • Art 25(1): “taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing…both at the time of the determination of the means of the processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement the data protection principles, such as data minimisation..”
  • Art 25(2): “implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.”
In November 2019, the EPDB published detailed guidance on how organisations can comply with Article 25 GDPR and the associated data protection principles. The guidance includes examples of best practice, which help add meaning to the concepts set out in Article 25. 

The guidance

Data protection by design

According to the EPDB guidelines, data controllers should use measures designed to implement data protection principles:

  • at the time when the data processing is being planned – by considering the concrete elements of the design including architectures, procedures, protocols and layouts
  • when the data is actually being processed – by implementing appropriate safeguards
  • on an ongoing basis – by continuing to re-assess and consider the safeguards in place. 
The EDPB reminds controllers of their accountability for any third-party technology they use and recommends that they:
  • include in their contracts with technology providers a requirement to notify the controller of any changes to the ‘state of the art’ which may impact the effectiveness of the measures being currently deployed
  • require their providers to demonstrate accountability on how they are complying with DPbDD (eg through key performance indicators) and to push for transparency (eg through certification or via guarantees that they are DPbDD compliant)
  • consider the costs in terms of money and economic advantage, plus time and human resources – and weigh up the potential cost of fines as a result of non-compliance 
  • mitigate risk when observing data protection by design, by carrying out Data Protection Risk Assessments (DPIAs).
Data protection by default

The EPDB guidance explains that data controllers must implement appropriate technical and organisational measures by default and that this means taking the principle of data minimisation into account when configuring systems and processes. Default settings should process as little data as possible to achieve the purpose. This may mean turning off parts of an off-the-shelf software product if certain functionalities are not necessary to achieve the purpose. Equally, it may mean that data is anonymised or deleted if it is not needed after it has been processed. Access should also only be granted to those who need it when necessary. 

Why is this important?

The EPDB stresses the “crucial part” DPbDD plays in protecting privacy and stresses the use of effective compliant technologies. 

Any practical tips?

Review your processes and systems in line with the EPDB’s new guidance and consider what you can do to reinforce your policies and procedures to bring them in line with DPbDD. Also, review your contracts with existing third-party service providers (noting any terms that might need updating on renegotiation). Finally, don’t forget the importance of DPIAs!