Background

On May 31st 2018 the European Data Protection Supervisor (hereinafter, the “EDPS”), published a “Preliminary Opinion on privacy by design” (hereinafter, the “Opinion”), with the aim of providing guidance on the measures that need to be taken by companies in order to ensure that they follow an approach of “privacy by design”. This approach encompasses the obligations of data protection by design and by default as set forth in Article 25 of the EU General Data Protection Regulation (hereinafter, the “GDPR”).

Main issues

Pursuant to Article 25 of the GDPR, the controller needs to implement appropriate technical and organisational measures, both at the design phase of the processing and during its operation, in order to effectively integrate the data protection safeguards needed to comply with the GDPR (“data protection by design”); as well as to ensure that the only personal data processed occurs where necessary for each specific purpose (“data protection by default”). The Opinion provides important guidance on the practical implications of this provision, while at the same time clarifying the relationship between Article 25 and other important GDPR principles, such as data minimisation and the general risk-based approach.

Firstly, the Opinion analyses the content of data protection by design, by elaborating four dimensions that derive therefrom:

  1. each personal data processing supported, in whole or in part, by IT systems should be the outcome of a design project, in which the safeguards to be implemented should be analysed and considered at the whole project’s lifecycle;
  2. since the GDPR does not specify mandatory security measures, a risk-management approach should be adopted in order to select and implement the actual measures needed for effective protection. In this respect, each organisation is responsible for choosing from the available safeguards those to be implemented, and balancing the cost of the measures (the “state of the art”) against the identified risks for the rights and freedoms of individuals. In any case, cost considerations can never lead to insufficient protection measures implemented for individuals;
  3. the identified measures must be appropriate and effective. This requirement has to be tested against the purpose of these measures, which is to implement the data protection principles set forth by the GDPR (e.g., the transparency principle, data subject’s rights, and data minimisation);
  4. the identified safeguards must be integrated into the processing itself, as opposed to being “external” safeguards (such as privacy notices).

In other words, data protection by design requires that the protection of individuals’ fundamental rights and freedoms becomes one of the company’s aims, rather than an afterthought or a minor issue. Data protection should be incorporated in the governance and management structure, along with a comprehensive and coherent allocation of roles and responsibilities in this respect.

The Opinion then briefly explores the scope of data protection by default: once the principle of data protection by design has been applied, the organisation should then only process the personal data necessary for the specific (and legitimate) relevant purposes which have already been identified. Data protection by default is thus strictly related to the purpose limitation and data minimisation principles. Vis-à-vis these principles, data protection by default stresses the importance of the implementation of technological measures to ensure the aforementioned aim, for instance by preventing any possibility of further “default” use of data, by means of a proper design of configuration settings.

The Opinion further provides several examples of existing privacy engineering methodologies which may be useful for organisations in implementing data protection by design and by default. These examples are:

  • the Privacy and Data Protection by Design report issued in 2015 by the European Union Agency for Network and Information Security (ENISA), which provides a comprehensive overview of the state of the art in this field;
  • the “Six protection goals for privacy engineering” that provide a framework to identify safeguards for IT systems processing personal data and add, besides the IT security triad of “confidentiality”, “integrity” and “availability”, three additional goals: “unlinkability”, “transparency” and “intervenability”;
  • the Introduction to Privacy Engineering and Risk Management in Federal Systems paper, issued in 2017 by the United States’ National Institute for Standards and Technology (US NIST) , which identifies a privacy risk model and three privacy system objectives, complementing the three aforementioned IT security triad;
  • the LINDDUN methodology developed by Leuven University, which particularly stresses the risk analysis aspects, complemented by a list of technology-neutral strategies to be implemented in order to tackle the risks;
  • the identification of patterns to engineer IT solutions to privacy requirements; this methodology draws inspiration from software development: design strategies for commonly recurrent privacy related problems are identified and may be divided into furthermore specific layers if needed. A list of such patterns may be found at https://privacypatterns.eu.

Practical actions/Implications

In order to comply with Article 25 requirements on data protection by design and by default, an organisation shall:

  • identify and implement appropriate risk-assessment methodologies for both IT systems and business process developments;
  • integrate the support for data protection in the management and governance framework, by clearly allocating internal roles, resources and responsibilities;
  • ensure that any such methodology and internal allocations stay up to date in respect to both the state of the art and the organisation effective structure;
  • make sure that the assessment of data subjects’ risks and the related implementation of data protection safeguards have been performed correctly where a new business / IT process involving personal data processing is initiated;
  • be able to prove that data protection has been taken into consideration and that effective measures aimed at tackling risks for data subjects have been implemented, by means of documenting the aforementioned processes and adopting internal policies and procedures.