On 20 November 2019, the European Data Protection Board (“EDPB”) published its draft guidelines on the principles of Data Protection by Design and Default (the “Guidelines”) under Article 25 of the EU General Data Protection Regulation (“GDPR”). The Guidelines were adopted on 13 November 2019 in the EDPB’s fifteenth plenary session. They give general guidance on the interpretation of the obligations of data protection by design and by default. In addition to covering these principles, the Guidelines also cover certification mechanisms for demonstrating compliance with Article 25 GDPR and enforcement by supervisory authorities.
The Guidelines are designed to apply to data controllers, but the EDPB notes that: “Other actors, such as processors and technology providers, who are not directly addressed in Article 25, may also find [the] Guidelines useful in creating GDPR-compliant products and services that enable controllers to fulfil their data protection obligations.”
1. Data Protection by Design
Article 25(1) of the GDPR places two key obligations on data controllers when designing products and services, namely to:
(1) implement appropriate technical and organisational measures that are designed to implement the data protection principles (as set out in Article 5 of the GDPR); and
(2) integrate necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects (as set out in Articles 12 -22 of the GDPR).
The Guidelines confirm that these obligations must be considered both at the time of determining the means of processing (the architecture, procedures, protocols, layout and appearance) and at the time of the processing itself (including over the course of the processing activities).
Technical and Organisational Measures
The EDPB considers that:
“A technical or organisational measure can be anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customer data.”
These measures do not therefore need to involve the use of the very latest (and most expensive) technology and could, for example, include the use of pseudonymisation.
The Guidelines emphasise that the measures must be implemented in an effective manner, which means that generic measures may not be sufficient . The measures must be targeted and have an actual effect. The Guidelines suggest that key performance indicators and quantitative and qualitative metrics can assist with demonstrating compliance.
The EDPB considers that appropriate measures and necessary safeguards are meant to serve the same purpose, but that safeguards act as a second tier to secure data subjects’ rights and freedoms in the processing.
Safeguards should be designed to ensure the effectiveness of the measures implementing the principles throughout the life-cycle of the processing activities. The EDPB provided some examples of what these safeguards may be, including:
(1) enabling data subjects to intervene in the processing;
(2) providing automatic and repeated information about what personal data is being stored;
(3) having a retention reminder in a data repository;
(4) malware detection system on a computer network or storage system;
(5) training employees about phishing and basic “cyber hygiene”.
State of the Art
Whilst there is no requirement to use cutting edge technology, the measures adopted should take account of the “state of the art”. This requires that controllers stay up to date on technological progress and also on relevant organisational measures. As a result, using security software with known vulnerabilities or that are out of date would likely not be considered measures that take account the state of the art.
Article 25(1) of the GDPR does allow for the cost of implementation to be taken into consideration when determining the appropriateness of the measures to be used. The Guidelines clarify that this cost should be considered in a wider sense than simple monetary cost and should also include the time and human resource cost. The EDPB also cautions that it is the implementation cost of the measures that must be taken into account, but notes that the implementation and maintenance of the “state of the art” may also be of significance when considering the cost of implementation, although how this would work in practice is not clear.
Nevertheless, the controller is required to plan for and expend the costs necessary for the effective implementation of all of the principles in the GDPR. The EDPB is unequivocal when it states:
“Incapacity to bear the costs is no excuse for non-compliance with the GDPR.”
However, the EDPB also cautions that simply because the technology is expensive does not mean that it necessarily leads to effective implementation of the principles and the controller must manage the costs to be able to effectively implement all of the principles.
The final considerations set out in Article 25(1) of the GDPR are to consider the:
• nature - i.e. the inherent characteristics of the processing;
• scope - the size and range of the processing;
• context - the circumstances of the processing, which may influence the expectations of the data subject; and
• impact – the impact the processing will have on the rights and freedoms of the data subjects (contained in Articles 12 -22 and in the EU Charter of
Fundamental Rights and Recital 4). The Guidance suggests that when performing the risk analysis for compliance with Article 25 of the GDPR, the controller should identify the risks and determine their likelihood and severity, taking into account the guidance from the EDPB on Data Protection Impact Assessments and also relevant best practices and standards.
2. Data Protection by Default
Article 25(2) requires that controllers implement data protection by default. This means that the decisions made by the controller on the basic configuration of the processing should be made with data protection considerations in mind. According to the Guidelines, this basic configuration includes:
“the value or processing option that is assigned in a software application, computer program or device that has the effect of adjusting, in particular but not limited to, the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.”
Default settings on products and software should be those that provide data protection by default. Any changes to these settings would therefore require the intervention of the user (or, in our view, possibly in some cases, the employer of the user) The Guidelines specify that these basic data protection settings should apply "out of the box" and be the same on all instances of the device, service or model.
The same considerations apply to the organisational measures supporting processing operations, which should be designed to process only the minimum amount of personal data necessary.
The technical and organisational measures should meet the considerations discussed above under the data protection by design principle, but with the principle of minimisation in mind. The measures must by default be appropriate to ensure that only personal data which are necessary for each specific purpose of processing are being processed.
The Guidelines also specify that data protection by default needs to apply to the following elements of the processing:
- amount of personal data collected – only the personal data that is necessary should be collected. The EDPB classifies that this should be considered in a qualitative and quantitative sense, so that the types and categories of data collected should also be considered as part of data minimisation.
- extent of processing – the operations conducted on personal data should also be limited to what is necessary. The EDPB also cautioned that “Controllers should also be careful not to extend the boundaries of “compatible purposes”, and have in mind what processing will be within the reasonable expectations of data subjects”.
- period of storage - personal data should be deleted or anonymised by default when it is no longer needed.
- accessibility - the controller should also put in place access controls so that the only individuals that can access the personal are those for which it is necessary. The Guidelines also called out the requirement in Article 25(2) that personal data should not be made accessible to an indefinite number of natural persons without the individual’s intervention. As a result, the controller must, by default, limit accessibility and consult with the data subject before publishing or otherwise making available personal data about the data subject to an indefinite number of natural persons. However, the method for intervention may depend on the lawful basis for processing.
3. Application and the Principles
The Guidelines also contain practical guidance on how to effectively implement each of the data protection principles set out in Article 5(1) of the GDPR. These 'key design and default elements' are replicated from the Guidelines in the table at the end of this article and should be read in conjunction with the specific examples set out in the Guidelines.
The Guidelines reiterate that processing operations may be certified for compliance with Article of the GDPR and that this certification may provide an added value to a controller when choosing between different processing systems from technology providers. The EDPB also considers that a data protection seal may also provide a guide for data subjects in their choice between different goods and services.
5. Next Steps
The consultation on these draft Guidelines will end on 16 January 2020, after which the EDPB will consider any comments provided and update the Guidelines if necessary.
|Principle||Key design and default elements|
|Purpose Limitation|| |
|Data Minimisation|| |
|Storage Limitation|| |
|Integrity and Confidentiality|| |