Draft Guidelines on Data Protection by Design and by Default issued by the EDPB
The comprehensive drafting project has been ongoing for nearly a year. The Norwegian Data Protection Authority has been in charge of the project, which has also relied heavily on the involvement of EDPB’s Technology Expert Subgroup.
The Guidelines were approved by the EDPB in the middle of November, implying that all European supervisory authorities support the Guidelines, and the Guidelines are now open for public consultation until 16 January 2020.
In summary the Guidelines provide an interpretation of the requirements set out in Article 25 GDPR, and the legal obligations introduced by this provision. The Guidelines set out operational examples on how Data Protection by Design and Default can be applied in the context of specific data protection principles. Furthermore, the Guidelines address the possibility of establishing a certification mechanism for controllers to demonstrate their compliance, in addition to how Article 25 may be enforced by national supervisory authorities.
The Guidelines provide recommendations on how controllers, processors and technology providers can cooperate to achieve data protection by design and by default, and how this can be used as a competitive advantage. While processors and technology providers are not directly addressed in Article 25, they are recognized as key enablers for data protection by design and default. The Guidelines point out that the recommendations may also be useful for them in creating their services and products to ensure GDPR compliance, as well as their position to identify potential risks in the use of a system or service. This will also help to enable controllers to fulfill their obligations when using the services and products. In addition, controllers are required to process personal data only using systems and technologies with built-in data protection.
Article 25 requires the controller to implement adequate technical and organizational measures designed to implement the data protection principles (Article 5) and integrate the necessary safeguards into the processing of personal data. These measures are to guarantee efficient protection of data protection principles, and the rights and freedoms of the data subjects. The controller must be able to demonstrate the efficiency of these guarantees.
The Guidelines explain two specific criteria the controller must take into account to ensure data protection by design. The first, “state of the art”, is explained as requiring controllers to stay informed of technological progress to make sure that the effective implementation of data protection principles is a continuous process. For the second criterium, “cost of implementation”, it is required that the controller account for the cost and resources needed for the effective implementation and continued maintenance of data protection principles. There are also other elements controllers need to consider. These are listed as nature, scope, context and purpose of the processing, and the risk of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
The Guidelines can be found on the EDPB web site at this address:
Data Protection by Design and by Default
The obligation to implement mechanisms to ensure data protection by design and by default is to ensure proper safeguarding of personal data as a standard for all services or solutions processing personal data.
The core obligation of article 25 is the effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default.
The services and solutions that process personal data are required to be designed in a way that ensures efficient protection of data protection principles, and the rights and freedoms of the data subjects.
Data Protection by Design entails that privacy policies are considered in all stages of the processing operations. This includes the phase of designing the systems and services, determining the means of processing, as well as at the time of processing. The demands for controllers to implement safeguards will be at the time of determining the means of processing. During processing the controller has a continued obligation to ensure data protection by design and default. The controller therefore has to carry out a continuous review of the efficiency of the safeguards. This is also because the elements mentioned above, such as scope and context of the processing operations, are subject to change. Controllers must also be able to demonstrate that the assessments have been made for all parts of the process.
Data Protection by Default refers to “default” as a pre-existing value or setting, used in software, programs or devices. In the context of Article 25 this refers to choices the controller makes for pre-existing configuration values or processing options. These settings can adjust the amount of personal data collected, the extent of processing, period of storage and accessibility. Data protection by default is especially important regarding the purpose of processing. The controller must assess which personal data is necessary for the purpose of processing, so that as a default only that amount of personal data is processed. The amount refers to quantitative and qualitative considerations, including volume of data, types, categories and detail of the personal data required.
Article provided by: Øystein Flagstad, GjessingReimers