Data Protection by design and by default are principles defined in article 25 of the General Data Protection Regulation (GDPR).
Data protection by design requires the controller to take technical and organisational measures to implement the data protection principles effectively and to integrate adequate safeguards to protect the rights and freedoms of data subjects.
Data protection by default requires that, by default, appropriate technical and organisational measures be implemented to ensure that only personal data that are necessary for each purpose of the processing are processed.
These two principles, because of their complex wording, are difficult to grasp and should be articulated with other GDPR provisions such as the article 5 relating to the data protection principles and article 24 relating to the obligation for the controller to be able to demonstrate compliance with the GDPR.
Only controllers must comply with the data protection by design and by default requirements (1) that we will try to clarify subsequently (2 & 3).
NB: We have updated this article following the release of the draft EDPB guidelines in order to reflect the authorities’ position and provide more details. However, these guidelines are currently open to public consultation and will, therefore, be amended in a few months. Therefore, we will update this article again when the final guidelines will be adopted.
1. Who is concerned by the data protection by design and by default requirements?
Data protection by design and by default principles applies only to controllers of personal data.
However, producers of products and services using personal data are encouraged to apply these principles when designing or updating their products (recital 78 of the GDPR).
Processors, though not directly concerned, should also take data protection by design and by default into account as they must follow controllers’ instructions stemming from the application of these principles (i.e. controllers may regularly review and assess their processor’s processing operations).
2. What is Data Protection by Design?
Data protection by design requires controllers, both at the time of the determination of the means of processing and during the processing itself, to implement technical and organisational measures designed to implement the data protection principles and ensure the protection of rights and freedoms of data subjects.
It is, therefore, essential for controllers to understand when it applies (2.1.) its purposes (2.2.), the concept of technical and organisational measures and necessary safeguards (2.3.), how to determine them (2.4.) and demonstrate their effectiveness (2.5.).
2.1. When does Data Protection by Design apply?
Data protection by design is a continuous obligation that must be implemented:
- At the time of determination of the means of processing: this is when the controller is in the process of making decisions about the means to be used to process the personal data (e.g. the architecture, procedures, protocols, layout and appearance); and
- During the processing itself: in practice, the controller must carry out regular reviews and assessments of the effectiveness of the chosen measures and safeguards.
According to the EDPB, the controllers must be able to demonstrate that it has carried out these assessments for all the means of processing. However, this requirement seems to be excessive and beyond the requirements applicable to high-risk processing activities. Therefore, the EDPB should clarify its position on this point.
2.2. What is the purposes of data protection by design?
Data protection by design aims to:
– implement the data protection principles as laid down in article 5 GDPR (you can find an overview here); and
– to protect the rights and freedoms of data subjects as laid down in articles 12 to 22 GDPR (right of access etc.) (more details here) and in recitals 4 GDPR and the EU Charter of Fundamental Rights (e.g. the respect for private and family life, home and communications, the protection of personal data, freedom of thought, conscience and religion, freedom of expression and information, freedom to conduct business, the right to an effective remedy and a fair trial, and cultural, religious and linguistic diversity…).
2.3. What are the technical or organisational measures and safeguards to implement?
To achieve the purposes set out above, controllers must implement technical and/or organisational measures and safeguards.
The EDPB expects these measures and safeguards to be robust and designed to scale up to an increase in the risk of non-compliance with the principles.
Technical or organisational measures
There is no requirement regarding the sophistication of these measures as long as they are appropriate for implementing the data protection principles effectively.
It can be anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customers’ data or pseudonymisation in order to implement data minimisation.
Safeguards were not clearly defined neither by the authorities nor by the GDPR. They may be confused with technical or organisational measures.
Examples of safeguards are pseudonymization, enabling data subjects to intervene in the processing, providing automatic and repeated information about what personal data is being stored, or having a retention reminder in a data repository, the implementation of a malware detection system on a computer network or storage system in addition to training employees about phishing and basic “cyber hygiene”.
2.4. How to determine the adequate measures and safeguards
The controller must take into consideration the state of the art, the cost of implementation and carry out a risk assessment taking in consideration the nature scope, context, purposes of the processing to determine the appropriate measures and safeguards defined above.
When performing the risk analysis, the controller has to identify the risks and determine their likelihood and severity (as required for the performance of a data protection impact assessment; see here for more details about DPIA)
The risk and the assessment criteria are: (i) the assets (i.e. the individuals, via the protection of their personal data) (ii) to protect against risks to individuals’ rights and freedoms, (iii) taking into account the nature, scope, context and purposes of the processing.
Taking into consideration the nature, scope, context and purpose of processing …
- The nature of processing can be understood as the inherent characteristics of the processing.
- The scope refers to the size and range of the processing.
- The context relates to the circumstances of the processing, which may influence the expectations of the data subject.
- The purpose is the aims of the processing.
…the state of the art…
Controllers, when determining the appropriate technical and organisational measures, must take account of the current progress in technology that is available in the market. It concerns technical and organisational measures.
Failing to keep up-to-date with technological changes could result in a lack of compliance with Article 25.
…and the cost of implementation
Cost refers to resources in general, including time and human resources
The controller must manage the costs to be able to effectively implement all of the principles. Incapacity to bear the costs will not be considered as an excuse for non-compliance with the GDPR.
However, the position of the EDPB on this point remains unclear and we believe that if the GDPR refers to the cost of implementation, it is to ensure the controllers are not required to implement excessively expensive or disproportionate measures to protect personal data. It should not add a new obligation on controllers to monitor the cost of implementation.
2.5. How to demonstrate their effectiveness?
Controllers must be able to demonstrate the effectiveness of the measures implemented by either:
- providing the rationale behind their assessment of the effectiveness of the chosen measures; or
- where appropriate, setting up key performance indicators to demonstrate compliance.
These indicators may be quantitative metrics such as level of risk, reduction of complaints or response time; or qualitative metrics such as evaluation of performance, expert assessments or use of grading scales.)
3. What is Data Protection by Default?
Data protection by default requires Controllers to implement appropriate technical and organisational measures to ensure that, by default, only personal data necessary for each purpose are processed.
It concerns the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
As with data protection by design, data protection by default is a continuous obligation that applies from the determination of the means onward.
3.2. What are the technical and organisational measures to be set “by default”?
The term “measures” has the same meaning as with data protection by design except that it applies specifically to the principle of data minimisation.
According to the EDPB, “data protection by default”, and more particularly the technical measures, refers to the choices made by a controller regarding any pre-existing configuration value or processing option that is assigned in a software application, computer program or device. Such choice should, in particular, adjust the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.
Organisational measures should be designed to process, at the outset, only the minimum amount of personal data necessary for the specific operations.
Such measures should minimise the processing of personal data out of the box, limit the access to personal data to the relevant person and the EDPB considers that information security should always be set by default for all system, transfers solution and options.
3.3. The EDPB expectations
For the EDPB, data protection by default focuses mainly on data minimisation, retention period and access control.
The measures must, by default, be appropriate to ensure that only personal data necessary for each specific purpose of the processing are being processed. In this respect, controllers must consider the volume of personal data, the types, categories and level of detail (“Amount of personal data ”) and ensure that processing operations are limited to what is necessary.
If personal data is no longer needed after its first processing, it must, by default, be deleted or anonymized. Controllers must be able to objectively justify any retention.
The controller must, by default, limit accessibility and ensure that access to personal data is limited to authorised persons based on an assessment of necessity. Data must, however, be accessible to those who need it when necessary, for example in critical situations.
If the processing requires publishing or otherwise making available personal data to an indefinite number of natural persons, the controller should consult the data subjects beforehand and where necessary, obtain their consent.
Controllers should draft and implement the necessary internal policies and procedures to ensure and demonstrate that:
- data protection principles are taken into consideration at all stage of any data processing activities, in particular, at the outset thereof;
- technical and organisational measures and safeguards to ensure compliance of their processing activities with the data protection principles are determined and implemented;
- Data subjects may easily enforce their rights and get control over their data.
Controllers should also document their decisions and/or set up key indicators to show the effectiveness of the measures implemented. They may also consider certification.