Data Protection by design and by default are principles defined in article 25 of the general data protection regulation (GDPR).
Data protection by design requires the controller to take technical and organisational measures to implement the data protection principles in an effective manner and to integrate adequate safeguards to protect the rights and freedoms of data subjects.
Data protection by default requires that, by default, appropriate technical and organisational measures be implemented to ensure that only peronal data that is necessary for each purpose of processing are processed.
These two principles, by their very general and complex wording, are difficult to grasp and should be articulated with other provisions of the GDPR, in particular but not limited to, article 5 relating to the data protection principles and article 24 relating to the obligation for controller to be able to demonstrate compliance with the GDPR.
Compliance with data protection by design and by default is a legal requirements for controllers only, though producers and processors may indirectly be concerned (1). We need to enter into the details of data protection by design (2) to understand data protection by default (3), which supplements it.
NB: We have updated this article following the release of the draft EDPB guidelines in order to reflect the authorities’ position and provide more details. However, these guidelines are currently open to public consultation and will therefore be amended in a few months. Therefore, we will update this article again when the final guidelines will be adopted.
1. Who is concerned by data protection by design and by default?
Data protection by design and by default principles concern controllers of personal data.
However, producers of products and services using personal data are encouraged to apply these principles when designing or updating their products (recital 78 of the GDPR).
Processors, though not directly concerned, should also take privacy by design and by default into account as controllers may provide instructions stemming from the application of these principles (i.e. controllers may regularly review and assess their processor’s processing operations). Besides, it may become a commercial advantage for processors to be able to commercialise GDPR compliant products and services.
2. What is Data Protection by Design?
As stated above, data protection by design requires controllers, both at the time of the determination of the means of processing and during the processing itself, to implement technical and organisational measures designed to implement the data protection principles and protection the protection of rights and freedoms of data subjects.
It is therefore essential for controllers to understand when it applies (2.1.) its purposes (2.2.), the concept of technical and organisational measures and necessary safeguards (2.3.), how to determine them (2.4.) and demonstrate their effectiveness (2.5.).
2.1. When does Data Protection by Design apply?
Data protection by design is a continuous obligation that must be implemented:
At the time of dertermination of the means for processing is when the controller is in the process of making decisions about the means to be used to process the personal data (e.g. the architecture, procedures, protocols, layout and appearance); and
During the processing itself: in practice, the controller must carry out regular reviews and assessments of the effectiveness of the chosen measures and safeguards.
According to the EDPB, the controllers must be able to demonstrate that such assessments have been made for all of the means that are part of the processing. However, this requirement seems to be excessive and to go beyond the requirements applicable to high risk processing. Therefore further clarifications should be brought by the EDPB on this point.
2.2. For what purposes?
Data protection by design aims to:
– implement the data protection principles (e.g. purposes limitation, data minimisation etc.) are laid down in article 5 of the GDPR (you can find an overview here); and
– to protect the rights and freedoms of data subjects: the rights are laid down in articles 12 to 22 of the GDPR (right of access etc.) (more details here). The freedoms of data subjects are set out in recitals 4 of the GDPR and the EU Charter of Fundamental Rights. It is, in particular, the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct a business, the right to an effective remedy and to a fair trial, and cultural, religious and linguistic diversity.
2.3. What are the technical or organisational measures and safeguards to be implemented?
In order to achieve the purposes set out above, controllers must implement technical or oganisational measures and safeguards.
The EDPB considers that the adopted measures and safeguards should be designed to be robust and to be scale up to any increase in risk of non-compliance with the principles.
Technical or organisational measures
It can be anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customer data. There is no requirement to the sophistication of a measure as long as it is appropriate for implementing the data protection principles effectively. For example, these measures can be pseudonymisation in order to implement data minimisation.
They were not clearly defined neither by the authorities nor by the GDPR. They may be confused with technical or organisational measures.
Examples of safeguards are pseudonimization, enabling data subjects to intervene in the processing, providing automatic and repeated information about what personal data is being stored, or having a retention reminder in a data repository, the implementation of a malware detection system on a computer network or storage system in addition to training employees about phishing and basic “cyber hygiene” .
2.4. How to determine the adequate measures and safeguards
The controller must take in consideration the state of the art, the cost of implementation and carry out a risk assessment taking in consideration the nature scope, context, purposes of processing in order to determine the appropriate measures and safeguards as defined above.
When performing the risk analysis for compliance with article 25 (and also article 24) the controller has to identify the risks and determine their likelihood and severity (as required for the performance of a data protection impact assessment; see here fore more details about DPIA)
The risk and the assessment criteria are: (i) the assets: the individuals, via the protection of their personal data (ii) against risks to individuals’ rights and freedoms, (iii) taking into account the nature, scope, context and purposes of processing.
Taking in consideration the nature, scope, context and purpose of processing …
- The nature of processing can be understood as the inherent characteristics of the processing.
- The scope refers to the size and range of the processing.
- The context relates to the circumstances of the processing, which may influence the expectations of the data subject.
- The purpose is the aims of the processing.
State of the art…
Controllers, when determining the appropriate technical and organisational measures, must take account of the current progress in technology that is available in the market. It concerns technical and organisational measures.
Failing to keep up to date with technological changes could result in a lack of compliance with Article 25.
and the cost of implementation.
Cost refers to resources in general, including time and human resources
The controller must manage the costs to be able to effectively implement all of the principles. Incapacity to bear the costs will not be considered as an excuse for non-compliance with the GDPR.
However, the position of the EDPB on this point remains unclear and we are of the opinion that if the GDPR refers to the cost of implementation, it is to ensure the cost of implementation are taken into account when chosing the measure to be implemneted, and in particular, prevent the authorities to require controllers to implement very expensive solution where other alternative exist. It should not add a new obligation on controllers to monitor the cost of implementation.
2.5. How to demonstrate their effectiveness?
Controllers must be able to demonstrate the effectiveness of the measures implemented.
To do so, controllers may either:
- provide the rationale behind their assessment of the effectiveness of the chosen measures; or
- where appropriate, set up key performance indicators to demonstrate compliance.
These indicators may be quantitative metrics such as level of risk, reduction of complaints or response time; or qualitative metrics such as evaluation of performance, expert assessments or use of grading scales.)
3. What is Data Protection by Default?
Data protection by default requires Controllers to implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each specific purpose are processed.
It concerns the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
As with data protection by design, data protection by default is a continuous obligation that applies from the determination of the means onward.
3.2. What are the Technical and organisational measures to be set “by default”?
The terms “measure” should be understood in the same way as with data protection by design, but applied specifically to the principle of data minimisation.
According to the EDPB, “data protection by default”, and more particularly the technical measures, refers to the choices made by a controller regarding any pre-existing configuration value or processing option that is assigned in a software application, computer program or device. Such choice should, in particular, adjust the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
Organisational measures should be designed to process, at the outset, only the minimum amount of personal data necessary for the specific operations.
Such measures should minimise the processing of personal data out of the box, limit the acess to personal data to the relevant person and the EDPB considers that information security should always be a default for all system, transfers solution and options.
3.3. EDPB expectations in practice
Data protection by default focuses mainly on data minimisation, retention period and access control.
The measures must, by default, be appropriate to ensure that only personal data which are necessary for each specific purpose of processing are being processed. In this regard, controllers must consider the volume of personal data, the types, categories and level of detail (“Amount of personal data ”) and ensure that processing operations are limited to what is necessary.
If personal data is no longer needed after its first processing, it must, by default, be deleted or anonymized. Controllers must be able to objectively justify any retention.
The controller must, by default, limit acessibility and ensure that access to personal data is limited to authorised persons based on an assessment of necessity. Data must, however, be accessible to those who need it when necessary, for example in critical situations.
If the processing requires publishing or otherwise making available personal data about the data subject to an indefinite number of natural persons, the controller should consult the data subject beforehand and where necessary, obtain their consent.
Controllers should draft and implement the necessary internal policies and procedures in order to ensure and demonstrate that:
- Data protection principles are taken into consideration at all stage of any data processing activities, in particular, at the outset thereof;
- Technical and organisational measures and safeguards are determined and implemented for each processing activity to ensure compliance with the data protection principles.
- Data subjects may easily enforce their rights and get control over their data.
Controllers should also document the decisions made (including the reasoning-rationale behind the choices made) and/or set up key indicators to show the effectiveness of the measures implemented. It may also consider certification.