On 13 November 2019, the European Data Protection Board (“EDPB”) adopted guidelines on the GDPR’s data protection by design and by default principle (“Guidelines”). The Guidelines provide further guidance into the technical and organizational measures and safeguards that data controllers must take into account when designing their processing activities. The EDPB encourages early consideration of data protection by design and by default principles (“DPbDD”) and considers DPbDD to be at the forefront of GDPR compliance. Data controllers, processors and technology providers should consider re-assessing their processing operations and products against the standards put forward in the Guidelines.
DPbDD means that the GDPR’s data protection principles must be designed into and set as a default in processing activities through means of “appropriate measures and safeguards.” Data protection by design measures range from the implementation of advanced technical solutions, to the basic training of personnel and data access restrictions. The measures must be suitable to safeguard the individual’s rights under the GDPR and other fundamental freedoms. Data protection by default refers to the setting of pre-selected values in software, applications or devices that lead to GDPR compliance. Adequate default settings will limit data collection, retention and overall processing to that which is strictly necessary.
Critically, once implemented, data controllers must be able to demonstrate the efficacy of the measures and the specific safeguards that they provide for. For instance, controllers might be able to point to a reduction in response time when handling individual rights requests, a lower number of complaints, or expert assessments that demonstrate efficacy. Controllers may also seek certification of their DPbDD practices pursuant to an approved certification mechanism issued under Art. 42 GDPR. No such certification has been approved so far.
Different Actors Involved
The responsibility for compliance with the DPbDD principles lies with the data controller, but the EDPB recognizes that processors and technology providers play an essential role in facilitating compliance. Controllers will often outsource a given processing activity to a processor (e.g., a cloud service provider) or purchase a product for data processing (e.g., a mobile device that allows the processing of biometric data). These actors are best placed to identify the data protection risks that a particular service or product may involve, and should use their expertise to design products that embed the DPbDD principles. They may, for instance, set the product for an automatic deletion of the data after a certain period of time or implement the immediate pseudonymization of data after collection.
The EDPB recommends that controllers do not engage providers that are unable to offer products allowing the controller to comply with DPbDD, and calls for controllers to contractually bind providers to demonstrate compliance with these principles (e.g., by strictly laying down key performance indicators). This is a strong incentive for product developers and service providers to reconsider their practices and ensure their products meet the Guidelines’ thresholds. If not, they are likely to lose market share to competitors who are able to offer data controllers more comfort around DPbDD. Data controllers may want to revisit their data processing agreements to verify whether these include sufficient safeguards on DPbDD, and consider adding in specific contractual safeguards to their purchase orders with technology providers.
The EDPB welcomes public consultation submissions to the Guidelines until 16 January 2020.