The European Data Protection Board (EDPB) has released new draft Guidelines 4/2019 on the obligation of data protection by design and by default as set out in Article 25 of the EU General Data Protection Regulation 2016/679/EU (GDPR). The guidelines provide useful advice on what this obligation means in practice and how to implement the data protection principles effectively.
What is data protection by design and by default?
The principles of data protection by design and by default require data controllers to implement appropriate technical and organisational measures and necessary safeguards to implement the data protection principles set out in Article 5(1) of the GDPR and to protect the rights and freedoms of data subjects. Controllers must be able to demonstrate the effectiveness of the implemented measures.
Protection by design
Data protection by design must be implemented both at the time of determining the method of processing and at the time of processing itself. This means that data protection by design and default must be considered throughout the life cycle of a processing activity: at development, design and at the point of processing. The intention is to have controllers and processors thinking about data protection at the earliest point in their activities.
Measures and safeguards
The guidance states a technical or organisational measure can be anything from the use of advanced technical solutions to the basic training of personnel.
Safeguards act as a second tier to securing data subjects’ rights and freedoms in the processing. The guidance sets out several examples including the ability for data subjects to intervene in the processing, repeating information to data subjects on data storage, implementing a malware detection system and training employees on phishing and basic ‘cyber hygiene’. An example of a technical measure is provided in pseudonymisation of personal data.
How is a measure effective?
Controllers must be able to demonstrate that the measures are effective in implementing the data protection principles and protecting the rights and freedoms of data subjects. The measures must be robust and scalable, in that as the risk of non-compliance increases, the measures must be capable of being scaled up.
The controller has to demonstrate compliance and the guidance suggests this can be achieved through determining key performance indicators. These indicators may include metrics, which could be quantitative, such as a reduction in the number of complaints or reduced response times to data subjects’ exercising their rights, or qualitative, such as through expert assessments or evaluations of performance.
Deciding on a measure
In determining the measures for a specific processing operation, the guidance advises controllers to ensure they are up to date with technological advances and that the measures adopted take account of the ‘state of the art’. It further advises, when considering the cost of implementation, that controllers should plan for and expend the costs necessary for effective implementation. Inability to meet costs is no excuse for not implementing the principles effectively.
The data controller must take into consideration the nature, scope, context and purpose of processing when determining the appropriate measures to implement. The data controller must also consider the risk posed to individuals’ rights and freedoms by the data processing: the guidelines refer to the EDPB Guidelines on Data Protection Impact Assessment (WP 248 rev.01, 4 October 2017), which it notes may be useful when carrying out such a risk assessment.
The guidelines confirm that data controllers have a continuing obligation to maintain data protection by design and default once processing has started and must re-evaluate their processing operations through regular reviews and assessments of the effectiveness of their chosen measures and safeguards. This obligation extends to any processing carried out by data processors, which should be regularly reviewed and assessed to ensure they enable continual compliance with the principles and support the data controller’s obligations.
Protection by default
‘Data protection by default’ refers to the choices made by a controller regarding any pre-existing or preselected value of a configurable setting that is assigned to a software application, computer program or device. Processing operations should be designed to process, at the outset, only the minimum amount of personal data necessary for each specific purpose. The guidance recognises defaults in computer software, programs and devices and explains that if third party software or off-the-shelf software is used the controller should ensure that functions that do not have coverage on legal grounds or are not compatible with the intended purposes are switched off. The same considerations apply to organisational measures supporting processing operations and the allocation of data access to staff in different roles should particularly be evaluated.
The guidelines note that the obligation only to process personal data which is necessary for each specific purpose applies to the following elements:
- amount of personal data collected (considering both the volume of data and its type)
- the extent of its processing;
- the period of storage (data not needed after it is first processed should by default be deleted or anonymised, with any retention objectively justifiable and demonstrable in an accountable way; and
- accessibility (access must be limited based on necessity while ensuring personal data is always available to those who need it, for example in critical situations).
The guidance sets out key design and default elements for each of the data protection principles and provides examples. The list of key elements could serve as a useful checklist as part of ensuring compliance.
The guidance notes that certification of data protection by design may be used to demonstrate compliance. It recommends that a certified processing operation offers a competitive advantage for technology providers and controllers. Controllers should look to other guarantees from technology and service providers in the absence of certification. Currently there are no Information Commissioner’s Office (ICO) approved GDPR certification schemes in operation but on 20 December 2019 the ICO announced that it will be working with the UK Accreditation Service (UKAS) to deliver these schemes.
The guidelines are open for public consultation and feedback until 16 January 2020, following which they will be finalised by the EDPB.