Data Protection by design and by default are new obligations defined in article 25 of the new European general data protection regulation (GDPR). These obligations require controller to implement any necessary technical and organisational measures to ensure their perosnal data processing activies are compliant with the privacy principles (see privacy principles here).
Who is concerned by data protection by design and by default obligations?
Data protection by design and by default concern mainly controllers of personal data. Under these obligations, they must take into account the privacy principles when implementing new data processing activities.
Though this is not an obligation for them, the GDPR also encourages producers of products and services requiring the use of personal data to take the privacy principles into account when designing their products and services (see recital 78).
What are these new obligations about?
Data protection by design requires controllers to take appropriate technical and organisational measures designed to implement the data protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR.
These measures must be implemented both at the time of the determination of the means of processing and at the time of the processing itself.
For example, these measures can be pseudonymisation in order to implement data minimisation principle (for more details see privacy principles here).
Data protection by default requires the implementation of technical and organisational measures for ensuring only personal data necessary for each specific purpose of the processing is processed.
This obligation applies to the amount of data used for each purpose, the extent of their use, the retention period of data and their accessibility (i.e. management of access).
The difference between data protection by design and by default remain unclear. Both obligations are aimed at implementing organisational and technical measures to ensure compliance with the privacy principles and it seems the data protection by default obligation stems from the privacy by design one.
The main difference could be that data protection by design is a general obligation whereas data protection by default focuses on the data minimisation and security principles.
In practice, drawing a distinction between these two obligations does not seem relevant as controller must be able to demonstrate its data processing activities are compliant with data protection principles from the determination of the means until the end of the processing.
As part of its compliance program, controllers should, therefore, draft the necessary internal policies in order to demonstrate that:
- Privacy principles are taken into consideration from the outset of each new data processing activity;
- Technical and organisational measures are implemented to ensure compliance with the privacy principles.
Controllers should also keep a record of its data processing activities (see here for more details about the register) and carry out a data protection impact assessment where the processing may result in a high risk for the rights and freedoms of individuals (see here for more details).