EDPS Opinion: Data Protection by Design and Default
25 November 2016
Data protection by design and default are concepts that put data protection at the centre of an organisation’s information processes. The intention of these principles is that organisations develop and implement data processing structures, which, by their nature, will protect personal data. In other words, the aim is to plan for data protection from the ground up.
These principles are explicitly referenced in Article 25 of the General Data Protection Regulation (“GDPR”), which will come into force in May 2018. A recent opinion on big data, published by the European Data Protection Supervisor (the “EDPS Opinion”), has provided some additional insight on these principles. We examine these concepts and what they might mean for data controllers.
What is data protection by design?
Data protection by design is the notion that the means and purposes of personal data processing are designed, from the beginning, with data protection in mind. Although this principle may already be familiar, often termed ‘privacy by design’, Article 25 introduces data protection by design into law.
The principle requires organisations to implement both technical and organisational measures that will guarantee and protect the privacy of individuals. Organisations should bear this in mind at all stages in their product or service life-cycles. In particular, Article 25 specifically focuses on data minimisation. Organisations should implement and practice methods of data minimisation, such as pseudonymisation. Other methods of data protection by design include staff training, audit and policy reviews in the context of data protection. In summary, organisations should therefore consider the data protection implications of a given processing activity at an early stage, rather than merely at the time of collection or processing.
What is data protection by default?
Data protection by default encourages organisations to apply the strictest privacy settings to a particular product or service at the outset of when that product or service is made available.
Article 25 will require organisations to implement measures ensuring that only the necessary personal data is collected and processed. This involves organisations examining the amount and extent of personal data collected and processed, together with affording consideration to how long such information is kept and how accessible it is. Under this provision, a data subject should be protected by the strictest privacy settings while still allowing for the data subject to receive or use the product or service.
Understanding what to take into account
Organisations seeking to implement data protection by design must consider a number of factors in order to determine the extent of measures to be employed. For a given data processing activity, Article 25 suggests that data controllers should bear in mind:
- the state of the art/ available technology;
- the cost of implementing the measures;
- the nature, scope, context and purpose of the data processing; and
- the risks to individuals (and their severity).
These factors will vary depending on the facts and circumstances. The obligations to maintain privacy by design and default are subjective and proportionate to each organisation and its corresponding data processing activities.
Accountability and proportionality
Data controllers will also have the responsibility to demonstrate their compliance with these obligations.
The EDPS Opinion notes that these principles of accountability may be “scalable” in circumstances that justify it. The result is that certain organisations may be subject to greater scrutiny around their data protection obligations than others, depending on their size, dominance or processing activities.
According to the EDPS Opinion, the accountability obligations may be greater where the company is responsible for processing personal data that pose a greater risk. In such cases, the organisation may be required to implement more stringent measures, designed to protect the relevant data. The technical and organisational measures are not one-size-fits-all.
Given their introduction into law under the GDPR, data protection by design and default should be borne in mind by all organisations that act as data controllers. A review of policies and data processing practices, both new and old, may be necessary. Introducing and practising privacy by design may also involve integrating other aspects of the GDPR, including carrying out data protection impact assessments, appointing a data protection officer, or recording information on data processing activities. Given the provisions of the GDPR, the obligations and responsibility on organisations in the area of data protection are only set to increase.