The European Data Protection Board (EDPB) adopted draft guidelines on data protection by design and by default according to article 25 GDPR.
Did you struggle with the decision of turning the settings on or off by default when you created your company App? Do you normally feel tempted to gather more data than necessary from your customers? These all are issues related to data protection by design and by default. EDPB has launched their guidelines in order to help data controllers to properly implement data protection by design and by default when processing personal data.
What does it mean ‘data protection by design’?
Article 25 (1) GDPR states that, taking into account the current progress in technology, “[…] the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.”
This implies that data protection by design is ultimately an approach that ensures the controller considers privacy and data protection concerns from the very first phase of designing any system, service, product, app or process and also throughout the lifecycle.
What does it mean ‘data protection by default’?
As covered by Article 25 (2) GDPR, “The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons”.
In a nutshell, data protection by default requires controllers to ensure they only process the data that is necessary to achieve their specific purpose. It links to the fundamental data protection principles of data minimisation and purpose limitation.
What steps should I take?
Data protection by design
The EDPB points out that effectiveness is the key, that is why there are no general measures imposed on controllers. You may be wondering: how will we know what to do then? Well, the GDPR defers to data controllers own discretion, which involves that any measure is valid as long as it is suitable to protect these principles. Therefore, what data controllers need to do is ensuring that they are able to demonstrate that they have implemented dedicated measures and that they have integrated specific safeguards that are necessary and appropriate to secure the rights and freedoms of data subjects. In order to achieve this goal, the EDPB deems relevant running a risk analysis considering the nature, scope, context and purposes of processing. This risk analysis and all linked processing operations should be re-evaluated through regular reviews and assessments.
Based on our experience, Aphaia recommends to make sure the DPO is always involved in a timely manner from the very first stage of development, either it is a whole app or system or just a single new feature, because their assistance will help to widely reduce any undesired issues in the future.
Early consideration of data protection by design and by default is crucial for a successful implementation, also from a cost-benefit perspective, as it could be challenging and costly to make changes to plans that have already been made and processing operations that have already been designed.
Data protection by default
The controller is required to predetermine for which specified, explicit and legitimate purposes the personal data is collected and processed. This obligation applies to the following elements: amount of personal data collected, the extent of their processing, the period of their storageand their accessibility.
The main concept to consider when it comes to data protection by default is necessity. All the elements above should be kept to the minimum and limited to what is necessary for each specific purpose.
One should note that failing at implementing data protection by default has already triggered several fines under the GDPR. For example, the Berlin Commissioner for Data Protection and Freedom of Information recentlyissued a fine of around 14.5 million euros against a Real Estate company for using an archive system for storage of personal data of tenants that did not provide the possibility of removing the data that was no longer necessary.According to EDPB guidelines: “If personal data is not needed after its first processing, then it shall by default be deleted or anonymized. Any retention should be objectively justifiable and demonstrable by the data controller in an accountable way”.
How can I operationalize data protection by design and by default?
EDPB guidelines provide some examples in order to help controllers to put into practice data protection by design and by default, sorted by specific principles. We have summarized them in the following table:
GDPR principle |
Key design and default elements |
Transparency |
Clarity, semantics, accessibility, context, relevance, universal design, comprehension, multi-channel |
Lawfulness |
Relevance, differentiation, specific purpose, necessity, autonomy, consent withdrawal, balancing of interest, predetermination, cessation, adjustment, default configuration, allocation of responsibility |
Fairness |
Autonomy, interaction, expectation, non-discrimination, non-exploitation, consumer choice, power balance, respect for the rights and freedoms, ethics, truthfulness, human intervention, fair algorithms |
Purpose limitation |
Predetermination, specificity, purpose orientation, necessity, compatibility, limited further processing, review, technical limitations of reuse |
Data minimisation |
Data avoidance, relevance, necessity, limitation, aggregation, pseudonymization, anonymization and deletion, data flow, state of the art. |
Accuracy |
Data source, degree of accuracy, measurable accurate, verification, erasure/rectification, accumulated errors, access, continued accuracy, up to date, data design |
Storage limitation |
Deletion, automation, storage criteria, enforcement of retention policies, effectiveness of anonymization/deletion, disclose rationale, data flow, backups/logs |
Integrity and confidentiality |
Information security management system, risk analysis, resilience, access management. |
Do you need assistance with data protection by design and by default? Aphaia provides both GDPR and Data Protection Act 2018 consultancy services, including data protection impact assessments, and Data Protection Officer outsourcing.