On 13 November 2019, the European Data Protection Board (EDPB) adopted the guidelines on Data Protection by Design and Default (DPbDD) for public consultation (link here) until 16 January 2020, providing an in-depth analysis of the components that make up DPbDD under GDPR article 25. We highlight below some of the key definitions.

Background

DPbDD refers to the effective implementation of data protection principles and data subjects’ rights and freedoms by Design and by Default. Controllers must be able to demonstrate that they have in place appropriate technical and organizational measures and safeguards in an effective manner. Incorporating such measures from the start of the project planning or product design, and embedding considerations of data protection through the launch phase is more effective and pro-active than a retrospective approach. This means that data protection practices and considerations must be ‘baked in’ to business practices and processing activities from the start. Although DPbDD primarily concerns controllers, processors and other parties are advised to take note as they work with controllers to fulfil the latter’s obligations under GDPR article 25.

Highlights from the guidelines

Data Protection by Design

  • Data protection ‘by Design’ applies to development of new services systems, processes, or products that involve personal data processing. It also involves expansion of existing such systems or processes in a way that increases the scope or nature of the personal data collected or processed.
  • Incorporating data protection by Design involves (1) implementation of appropriate technical and organisational measures designed to implement the data protection principles, and (2) integration of necessary safeguards into the processing to fulfil GDPR requirements and protect data subjects’ rights. ‘Effectiveness’ is key here: generic measures to document compliance will be insufficient; such measures (such as pseudonymisation of personal data) have to be robust and be able to be scaled up when there is a risk of non-compliance. Controllers may also determine appropriate KPIs (such as metrics) to demonstrate effectiveness.
  • Further to the above, safeguards act as a second tier to protect data subjects’ rights and freedoms during processing, and ensure the effectiveness of data protection principles from start to end of the processing cycle. Examples of safeguards include: enabling individuals to intervene in or opt out of certain processing; providing automatic and repeated information about what personal data is being stored; having a retention reminder in a data repository; and training employees on phishing and basic ‘cyber hygiene’ etc.
  • Time aspect: data protection by design must be implemented ‘at the time of determination of the means for processing’, i.e. assessment of appropriate measures and safeguards during the decision-making when determining the processing. Once processing has started, controllers have continued obligations to maintain effective implementation of the rights and principles. This necessitates re-evaluation of processing operations through regular reviews and assessment of the effectiveness of their measures and safeguards.

Data Protection by Default

  • Data protection ‘by Default’ refers to applying the central data protection principles of personal data minimisation and purpose limitation. Prioritizing data privacy should be central to the choices made by a controller regarding how to process personal data to achieve their purposes. Therefore, for ‘technical and organisational measures’, controllers are required to predetermine the purposes for the collection and processing of personal data, and only process what is required for that purpose.
  • The measures ‘must by default be appropriate to ensure that only personal data which are necessary for each specific purpose of processing’ are processed – this applies not only to the amount of personal data collected, but also the extent/frequency of the processing, the period of their storage and the accessibility to the personal data, etc. Controllers must also not forget that information security ‘shall always be a default for all systems, transfers, solutions and options’ during processing.
  • The EDPB also highlighted a list of key DPbDD elements to consider when operationalising DPbDD: such as transparency when dealing with data subjects; lawfulness of the processing; fairness during processing; the purpose limitation under GDPR article 5.1b and 6.4; the data minimisation principle under GDPR article 5.1c; the accuracy of the personal data under GDPR article 5.1d; the storage limitation; and integrity and confidentiality (the security principle) to strengthen data processing resilience.

Comment

The key takeaway from the guidelines is ‘effectiveness’ – controllers must be strategic, prepared to start early (well before the commencement of processing), work with design and implementation teams to incorporate data protection elements, internalise all costs that are likely to be incurred during implementation, and work with processors and other parties together, such as technology providers, to ensure it is DPbDD compliant.