DATA PROTECTION BY DESIGN AND BY DEFAULT : NEW GUIDELINES FROM THE EUROPEAN DATA PROTECTION BOARD

The European Data Protection Board (EDPB) published the Guidelines 4/2019 on Article 25 Data protection by design and by default (DPbDD).

The EDPB emphasizes the need to implement the GDPR obligations when designing processing operations. Technology-providers should then design solutions that embed data protection into the processing at all stages.

What are the EDPB recommendations?

European Data Protection Board recommended to take into account the following points:

 • Controllers should think of DPbDD from the initial stages of planning a processing operation, even before the time of determination of the means of processing.

• A processing operation may be certified for DPbDD. Such a certification may provide an added value to a controller when choosing between different processing systems from technology providers. A certification seal may also guide data subjects in their choice between different goods and services, such as applications, software, systems, Internet of Things, including wearables and implants. Having a DPbDD-seal can therefore serve as a competitive advantage for both technology providers and controllers, and may even enhance data subjects’ trust in the processing of their personal data.

• Technology providers should seek to support controllers in complying with DPbDD. Controllers, on the other hand, should not choose providers who do not propose systems enabling the controller to comply with Article 25, because controllers will be held accountable for the lack of implementation thereof.

• Technology providers should play an active role in ensuring that the criteria for the “state of the art” are met, and notify controllers of any changes to the “state of the art” that may affect the effectiveness of the measures they have in place. Controllers should include this requirement as a contractual clause to make sure they are kept up to date.

• Controllers should take into account the cost element when choosing a provider or planning a technology or organisational practice or solution, and take into account the potential cost of monetary fines as a result of non-compliance with the GDPR.

• Controllers should always seek to effectively mitigate risk when observing data protection by design within the nature, scope and context of their processing operations, including when accounting for the related cost and state of the art of their chosen technical and organisational measures and safeguards.

• The EDPB encourages technology providers to take the opportunity to use DPbDD as a competitive advantage in the market.

• The EDPB recommends controllers to require that technology providers demonstrate accountability on how they have complied with DPbDD, for example by using key performance indicators to demonstrate the effectiveness of the measures and safeguards at implementing the principles.

• The EDPB emphasizes the need for a harmonized approach to implement principles in an effective manner and encourages associations or bodies preparing codes of conduct in accordance with Article 40 to also incorporate DPbDD. Adopted - version for public consultation 27

• Controllers should be fair to data subjects and transparent on how they assess and demonstrate effective DPbDD implementation, in the same manner as controllers demonstrate compliance with the GDPR under the principle of accountability.

The aforementioned guidelines are proposed to public comments until January 16th. Knowing that such principles are to be carefully taken into account by controllers when implementing new processings of personal datas.