The European Data Protection Board (EDPB) recently published new Guidelines to help businesses comply with their obligation to adopt a Data Protection by Design and by Default (DPbDD) approach when processing personal data.

Article 25 GDPR requires controllers to implement appropriate technical and organisational measures and safeguards that provide effective implementation of the data protection principles, and protect data subjects’ rights, by design and by default.  Article 25 prescribes both design and default elements that should be taken into account.

A controller must adopt a DPbDD approach at all stages of developing processing activities, including tenders, outsourcing, development, support, maintenance, testing, storage, deletion, etc.  The importance of complying with the DPbDD obligation is underlined by the fact that it is a factor for competent supervisory authorities to consider when  determining whether to impose an administrative fine and the level of that fine (Article 83(2)(d)).

Scope

Article 25 GDPR primarily applies to controllers, however the Guidelines highlight that processors and producers of products, services, and applications are key enablers for DPbDD.

By Design

Article 25(1) requires the controller to implement appropriate technical and organisational measures  which are designed to implement the data protection principles in an effective manner, and to integrate the necessary safeguards into the processing in order to protect the rights of data subjects.

The Guidelines clarify that the obligation to implement appropriate “technical and organisational measures” includes anything from advanced technical solutions to basic personnel training and adoption of internal policies.  Controllers are not necessarily required to use the latest technology, but should take into account “the state of the art“, meaning they should stay up-to-date with technological progress,  and ensure, for example, that they do not use software with known vulnerabilities, or that is out-of-date.

Whilst controllers may take into account the “costs of implementation”, including time and human resources costs, when adopting appropriate technical and organisational measures, such costs are not an excuse for non-compliance with the GDPR.

Data controllers must consider data protection by design as early as possible when planning a new processing operation and implement it before any personal data processing is carried out. In addition, to ensure effective data protection at the time of processing itself, controllers must regularly review the effectiveness of the chosen measures and safeguards during the processing itself.

By Default

Article 25(2) requires the controller to implement appropriate technical and organisational measures to ensure that, by default, only personal data which are necessary for each specific purpose are processed.  The data protection by default obligation applies to: the amount of personal data collected; the extent of processing; the period of storage; and the accessibility of personal data stored.

Data protection by default means that the controller must implement default configuration settings in a way that only processing that is strictly necessary to achieve a lawful purpose is carried out.  The minimum amount of personal data should be collected, processed, stored and accessed by the controller.

Implementing the Data Protection Principles using Data Protection by Design and by Default

The Guidelines provide practical examples of how to operationalise DPbDD, when implementing each of the data protection principles (including, transparency, fairness, lawfulness; purpose limitation; accuracy; data minimisation; storage limitation; integrity and confidentiality).

In regard to the principle of lawfulness of processing, which requires controllers to have a legal basis for processing personal data, the EDPB provide the following example:

“A bank plans to improve efficiency in the management of loan applications. The idea behind the service, is that the bank, by requesting permission from the customer, can retrieve data directly from public authorities about the customer, such as tax data from the tax authorities. Initially this personal data is necessary to take steps at the request of the data subject prior to entering into a contract (i.e. contractual necessity legal basis). However, this specific way of processing personal data is not necessary for entering into a contract, because a loan may be granted without obtaining data directly from the tax authorities. The customer is able to enter into a contract by providing the information from the tax administration herself.  The controller cannot use the “necessary for contract” legal basis for the part of the processing that involves gathering personal data directly from the tax authorities. The bank concludes that this part of the processing must rely on consent.

The bank therefore presents information about the processing on the online application platform in such a manner that makes it easy for data subjects to understand what processing is mandatory and what is optional. The processing options, by default, do not allow retrieval of data directly from other sources than the data subject herself, and the option for direct information retrieval is presented in a manner that does not deter the data subject from abstaining. Any consent given to collect data directly from other controllers is a temporary right of access to a specific set of information.  Any given consent is processed electronically in a documentable manner, and data subjects are presented with an easy way of controlling what they have consented to and to withdraw their consent. The controller has assessed these DPbDD requirements beforehand.”

Another example provided by the EDPB is in relation to the principle of data minimisation, which requires controllers to process only the minimum amount of data necessary in relation to the purpose for which it was collected. The EDPB provide the following example.

“A bookshop wants to add to their revenue by selling their books online. The bookshop owner wants to set up a standardised form for the ordering process. To ensure customers fill out all the wanted information the bookshop owner makes all of the fields in the form mandatory (if you don’t fill out all the fields the customer can’t place the order). The webshop owner initially uses a standard contact form, which asks information including the customer’s date of birth, phone number and home address. However, not all the fields in the form are necessary for the purpose of buying and delivering the books. In this particular case, if the data subject pays for the product up front, the data subject’s date of birth and phone number are not necessary for the purchase of the product. This means that these cannot be required fields in the web form to order the product, unless the controller can clearly demonstrate that it is otherwise necessary, and why the fields are necessary. Moreover, there are situations where an address will not be necessary. For example, when ordering an eBook the customer can download the product directly to their device. The webshop owner therefore decides to make two web forms: one for ordering books, with a field for the customer’s address and one web form for ordering eBooks without a field for the customer’s address.”

Recommendations

The EDPB makes a number of recommendations to facilitate and enhance the adoption of DPbDD, including:

  • Controllers should consider, evaluate and assess data protection at the initial stages of planning a processing operation.
  • Where a controller has a Data Protection Officer (DPO), the EDPB recommend the DPO is actively involved in the planning of new processing operations, as well as in the whole processing lifecycle.
  • Controllers, processors and producers should consider their obligations for providing children under 18 years of age, and other vulnerable groups, with specific protection in complying with DPbDD.
  • Controllers should require producers and processors to demonstrate how their hardware, software, services or systems enable it to comply with the requirements of accountability consistent with DPbDD.
  • Controllers should be fair and transparent to data subjects about how the assess and demonstrate effective DPbDD implementation.