Data Protection by design and by default are new principles defined in article 25 of the new data protection regulation (GDPR). Even though they are now explicitly referred to in the GDPR, they are the consequences of the application of the other data protection principles and were already implied by the data protection directive 95/46/EC.
Who is concerned by data protection by design and by default?
Data protection by design and by default principles concerns both data controller and producers of products and services using personal data. Under these principles they should take into account the data protection principles when designing their new products and services or implementing new data processing activities.
However, the GDPR have limited the obligation of producers since they are only encourage to take privacy principles into account when designing their products and services. Therefore the principles are actually applicable to data controllers only (see recital 78).
What is it about?
Data protection by design principle explicitly requires that data controllers implement appropriate technical and organisational measures designed to implement data protection principles in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR.
These measures must be implemented both at the time of the determination of the means of processing and at the time of the processing itself.
For example these measures can be pseudonymisation in order to implement data minimisation principle (for more details see privacy principles article here)
Data protection by default principle is more limited in scope and requires the implementation of technical and organisational measures for ensuring only personal data which are necessary for each specific purpose of the processing is processed (i.e. ensuring proportionality of data processed with regard to each purpose of the data processing)
This principle applies to the amount of data used for each purpose, the extent of the their use, the retention period of data and their accessibility (i.e. management of access).
The difference between data protection by design and by default principles is unclear. Both principles are aimed at implementing organisational and technical measures and it seems privacy by default is a subsection of the privacy by design principle as the former concerns specific data protection principles while the latter covers all of them.
However, data protection by design principle is applicable at the outset while the data protection by default may be the consequences of the decision taken when the data processing activities were designed and implemented.
In practice, making a difference between both principles is not really relevant when it comes to ensuring compliance with the GDPR.
Implementing these two principles means that a data controller must put in place organisational and technical measures aimed at ensuring its data processing activities are compliant with data protection principles from the outset until the end of the processing.
As part of its compliance program, data controllers should therefore draft the necessary internal policies proving that:
- Privacy principles are taken in consideration from the outset of each data processing activity;
- Both technical and organisational measures are implemented
It should also keep a record of the decisions taken for each data processing in terms of purposes, amount of data processed, data retention period etc. (see here for more details about the register) and carries out a data protection impact assessment where necessary in order to keep an history of what measure has been taken for specific data processing (see here for more details).
This post is also available in fr_FR.