The European Data Protection Board (“EDPB”) recently published new guidelines for data protection by design and by default (Guidelines 4/2019 on Article 25 Data Protection by Design and by Default adopted on 20 October 2020, “the Guidelines”) that address some of the key principles of the European data protection and privacy framework implemented by the European Union General Data Protection Regulation (“GRPR”). The Guidelines provide guidance on the obligation of Data Protection by Design and by Default (“DPbDD”) under Article 25 GDPR that should be used by every organization that processes personal data.
Scope of DPbDD
In short, DPbDD obliges all data controllers to follow its principles regardless of the size of the organization or the complexity of personal data-processing. Therefore, it applies to small businesses and multinational companies alike. The complexity of implementing DPbDD, of course, may vary based on processing operations. It is also important to recall that DPbDD applies to existing systems that process personal data.
Obligations of DPbDD
The Guidelines emphasize that the most fundamental obligation is “the implementation of appropriate measures and necessary safeguards that provide effective implementation of the data protection principles and, consequentially, data subjects’ rights and freedoms by design and by default. Article 25 prescribes both design and default elements that should be taken into account”.
Thus, the controller must understand data protection principles and the data subject’s rights and freedoms in order to properly implement the requirements of DPbDD. Controllers should consider DPbDD early on, in practice as early as possible, when planning a new processing operation. In addition, controllers are obliged to implement DPbDD before any personal data-processing. Further, controllers must maintain and develop reviewing processes for the effectiveness of the chosen measures and safeguards during the time of processing.
Key Elements of DPbDD
In order to implement DPbDD, its key elements must be understood. The Guidelines define the key elements through the principles of data-processing. To summarize, the key elements are (i) transparency, (ii) lawfulness, (iii) fairness, (iv) purpose limitation, (v) data minimization, (vi) accuracy, (vii) storage limitation, (viii) integrity and confidentiality and (ix) accountability.
The new Guidelines make clear that all parties in personal data processing, processors and controllers, are enablers of DPbDD and thus must understand that personal data can be processed only using systems and technologies that provide built-in data protection that implements key data-processing principles.
The Guidelines provide the following recommendations for controllers, processors and producers of data:
1. Controllers: consider, evaluate and assess data protection at the initial stages of planning a processing operation.
2. Controllers: actively involve your Data Protection Officer (DPO), if you have one, in the entire planning and processing lifecycle.
3. Processors and possibly producers: consider certification of processing operations.
4. Controllers, processors and producers: consider possible obligations for providing children under 18 and other vulnerable groups with specific protections compliant with DPbDD.
5. Producers and processors: seek to facilitate DPbDD implementation in order to support the controller’s ability to comply with its obligations.
6. Controllers: choose producers or processors who offer systems enabling or supporting your compliance with the obligations of DPbDD and GDPR in general to manage your risks.
7. Producers and processors: play an active role in ensuring that the criteria for “state of the art” is met and keep the controllers informed of changes in it. Controllers may consider including this requirement in contractual provisions to ensure that they are kept up to date.
8. Controllers: require producers and processors to demonstrate how their hardware, software, services or systems enable you to comply with the requirements of accountability consistent with DPbDD.
9. Controllers: ensure that you are fair to data subjects and transparent on how you assess and demonstrate effective DPbDD implementation.
10. Controllers, producers, processors: note that existing legacy systems are subject to the same DPbDD-obligations as new systems. If legacy systems are not in compliance with DPbDD and changes cannot be made to ensure compliance, then such systems should not be used to process personal data and alternatives should be chosen.
11. It is also important to understand that there is no lower threshold of DPbDD requirements for small and mid-sized organizations.
Finally, the EDPB also emphasizes the need for a harmonized approach for implementing principles and rights in an effective manner and encourages associations or bodies preparing codes of conduct in accordance with Article 40 GDPR to incorporate sector-specific guidance on DPbDD.
For further information on these recent EDPB Guidelines, please see the following link.
Suvi Julin works in Berggren as a Lawyer, Patent Attorney, European Trademark and Design Attorney. Suvi has wide-ranging experience in the field of intellectual property and technology law. Suvi advises clients on a variety of contentious and non-contentious intellectual property matters including trademarks, designs and patents as well as in copyright, contractual, employee invention and privacy matters.