EDPB Data Protection By Design and Default Guidance

The EU’s arbiter on the GDPR explains what it considers data by design and default that complies with the GDPR.

The European Data Protection Board (EDPB or Board) issued “Guidelines 4/2019 on Article 25 Data Protection by Design and by Default Version 2.0,” which is “general guidance on the obligation of Data Protection by Design and by Default (DPbDD) set forth in Article 25 in the [General Data Protection Regulation] GDPR.” The EDPB’s Guidance follows guidance issued by at least three European Union (EU) data protection authorities (DPA) on data protection by design and by default. However, given the resource constrained nature of most EU DPAs, it is not clear how the data processing systems of controllers will be policed to ensure DPbDD. Presumably failings and violations would be turned up during investigations launched on other grounds.

Article 25 requires, in relevant part:

  • [T]he controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  • The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed.

The EDPB pointed to the data protection and privacy by design guidance released by three EU DPAs:

The EDPB stated:

Data protection by design and data protection by default are complementary concepts, which mutually reinforce each other. Data subjects will benefit more from data protection by default if data protection by design is concurrently implemented – and vice versa.

The Board sought to explain its view on how controllers can meet these obligations under Article 25. The EDPB asserted:

The  core  obligation  is  the implementation  of appropriate measures  and necessary safeguards  that provide effective implementation of the data protection principles and, consequentially, data subjects’ rights and freedoms by design and by default. Article 25 prescribes both design and default elements that should be taken into account. (emphasis in the original.)

Again, and again throughout the Guidance, the EDPB stresses that “effective implementation” is the key, suggesting that processes and systems that appear compliant on the surface will not necessarily be found compliant should a controller be investigated.

Unlike the American approach to data protection, the size and resources of a controller have no bearing on the compliance obligations with respect to DPbDD. The EDPB stated

DPbDD is a requirement for all controllers, including small businesses and multinational companies alike. That being the case, the complexity of implementing DPbDD may vary based on the individual processing operation. Regardless of the size however, in all cases, positive benefits for controller and data subject can be achieved by implementing DPbDD.

Moreover, the GDPR’s Article 25 requirements regarding DPbPP apply to processing to be designed and processing systems that pre-date the GDPR:

The requirement described in Article 25 is for controllers to have data protection designed into the processing of personal data and as a default setting and this applies throughout the processing lifecycle. DPbDD is also a requirement for processing systems pre-existing before the GDPR entered into force. Controllers must have the processing consistently updated in line with the GDPR.

What’s more, the EDPB asserted “[c]ontrollers shall implement DPbDD before processing, and also continually at the time of processing, by regularly reviewing the effectiveness of the chosen measures and safeguards…[and] DPbDD also applies to existing systems that are processing personal data.”

The Board contextualized DPbDD in the GDPR and the EU’s human rights:

  • In line with Article 25(1) the controller shall implement appropriate technical and organisational measures which are designed to implement the data protection principles and to integrate the necessary safeguards into the processing in order to meet the requirements and protect the rights and freedoms of data subjects. Both appropriate measures and necessary safeguards are meant to serve the same purpose of protecting the rights of data subjects and ensuring that the protection of their personal data is built into the processing.
  • The controller should choose and be accountable for implementing default processing settings and options in a way that only processing that is strictly necessary to achieve the set, lawful purpose is carried out by default. Here, controllers should rely on their assessment of the necessity of the processing with regards to the legal grounds of Article 6(1). This means that by default, the controller shall not collect more data than is necessary, they shall not process the data collected more than is necessary for their purposes, nor shall they store the data for longer than necessary. The basic requirement is that data protection is built into the processing by default.

The EDPB explained:

In all stages of design of the processing activities, including procurement, tenders, outsourcing, development, support, maintenance, testing, storage, deletion, etc., the controller should take into account and consider the various elements of DPbDD which will be illustrated by examples in this chapter in the context of implementation of the principles.

The EDPB asserted the Guidance may also be of use to others with responsibilities under the GDPR: “Other actors, such as processors and producers of products, services and applications (henceforth “producers”), who are not directly addressed in Article 25, may also find these Guidelines useful in creating GDPR compliant products and services that enable controllers to fulfil their data protection obligations.” Moreover, a controller will be held accountable for the DPbDD of processors and sub-processors

Nonetheless, the Board made recommendations to processors:

  • Although not directly addressed in Article 25, processors and producers are also recognized as key enablers for DPbDD, they should be aware that controllers are required to only process personal data with systems and technologies that have built-in data protection.
  • When processing on behalf of controllers, or providing solutions to controllers, processors and producers should use their expertise to build trust and guide their customers, including SMEs, in designing /procuring solutions that embed data protection into the processing. This means in turn that the design of products and services should facilitate controllers’ needs.

© Michael Kans, Michael Kans Blog and michaelkans.blog, 2019-2020. Unauthorized use and/or duplication of this material without express and written permission from this site’s author and/or owner is strictly prohibited. Excerpts and links may be used, provided that full and clear credit is given to Michael Kans, Michael Kans Blog, and michaelkans.blog with appropriate and specific direction to the original content.

“Privacy” by Afsal CMK is licensed under CC BY 4.0

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s