Data protection by design and default (DPDD) is not an entirely new concept. Adopting a 'privacy by design' approach has been recommended by data protection regulators for years. Under the GDPR, however, data protection by design and default is now a legal requirement.
The provisions around DPDD are found in Article 25 GDPR.
The controller needs to implement appropriate technical and organisational methods (eg pseudonymisation) which are designed to implement the data protection principles (like data minimisation) and integrate the necessary safeguards into the processing in order to meet GDPR requirements and protect data subject rights.
This must be done both at time of determination of the means of processing and throughout the processing operation.
Controllers should take into account the state of the art, the cost of implementation, the nature, scope, context and purpose of processing, and the risks of varying likelihood and severity for the rights and freedoms of the data subjects.
The controller must implement appropriate technical and organisational measures to ensure that by default, only personal data necessary for each specific processing purpose is processed. This applies to:
In particular, the measures need to ensure that by default, the data is not made accessible to an indefinite number of people without the intervention of the data subject.
The GDPR envisages that adhering to an approved certification mechanism may be a way to demonstrate compliance with DPDD but, to date, no such certification has been approved.
For a concept so fundamental to GDPR compliance, there is relatively little detail provided in the body of the legislation. There is a little more information in Recital 78. Recitals inform application of the GDPR but do not have legal force.
Pseudonymisation is explicitly mentioned in Article 25 as a potentially appropriate DPDD measure, but Recital 78 also suggests the following:
Recital 78 also says that:
That's all the information you get from the GDPR about one of its fundamental principles. In almost every piece of guidance regulators put out, they talk about the importance of DPDD but what does it really involve? The ICO has published guidance on the principle in its GDPR guidance and is planning further guidance on the subject. It has also published its Age Appropriate Design Code of Practice (see our article to learn more) which has cross-over where it applies.
The ICO says that DPDD essentially means you have to integrate or "bake in" data protection into your processing activities and business practices from the design stage right through the lifecycle, as a legal requirement. As with much of the GDPR, this involves taking a risk-based approach and considering each processing operation on a case by case basis.
Design does not just refer to the design of systems, products and services, it also refers to organisational policies and processes, and business practices which have privacy implications.
The ICO also stresses that data protection by default does not mean that you must adopt a 'default to off' solution (although in some cases this is a requirement under the Age Appropriate Design Code). What it actually involves is ensuring you only process personal data necessary to achieve your specific purposes, so it is linked to the principles of data minimisation and purpose limitation. While exact steps vary depending on the circumstances, the ICO says the following must be considered:
The data controller has responsibility for implementing DPDD but within an organisation there may be a number of different areas involved, for example, senior management, systems development, and the DPO.
While data processors do not have explicit DPDD obligations, the controller is required to select a processor which provides sufficient guarantees to meet GDPR requirements and this covers DPDD. Where third parties are involved, there is no legal requirement on the controller to ensure they comply with DPDD (although they may have to do so in their own right), but Recital 78 suggests it should be taken into account.
The ICO says there is no 'one size fits all' approach. Issues to consider include those mentioned in Recital 78 and they need to be taken into account at the initial phase of any system, service, product or process. The intended processing activities have to be reviewed in the context of risks posed to individuals and the methods available to protect them and to comply with GDPR, taking into account the state of the art, cost, the type of processing and the risks involved. This must be done at the design phase of any processing activity and throughout the lifecycle of the processing.
The ICO points to the underlying concepts of the GDPR expressed in the seven 'foundational principles' of privacy by design as developed by the Information and Privacy Commissioner of Ontario as a useful (if not comprehensive) anchor to the approach you should take. Note that these should be used as guidelines rather than requirements:
The ICO suggests developing a set of practical actionable guidelines to use in your organisation, framed by your assessment of the risks posed and mitigating measures available to you. The key is to take an organisational approach that achieves the desired outcomes.
As the ICO stresses, many steps needed to ensure DPDD relate to other GDPR obligations – for example transparency requirements and security obligations – so it really runs through the GDPR compliance process. It also links to one of the key accountability tools, the DPIA. The ICO says DPIAs are integral to DPDD. While they are not always required (unlike DPDD), it is good practice to carry them out as they will help assess risk and mitigation which in turn helps with implementing and demonstrating DPDD.
As with much of GDPR compliance, the way you implement the requirements is left up to you. This gives organisations flexibility within the framework. The ICO guidance contains a basic checklist and you can also see our checklist on the Global Data Hub. EDPB guidance and other EU regulator views are also relevant. However you choose to implement DPDD, the overriding thing to remember is that you need to embed data protection into everything you do involving personal data.
Lucie Audibert looks at the increasing regulatory scrutiny of dark patterns and nudge techniques in light of the GDPR DPDD requirement.
1 de 6 Publications
Jo Joyce looks at common issues faced by two different types of businesses trying to implement privacy by design and default.
2 de 6 Publications
Our international team looks at the views of the EDPB and other EU regulators on DPDD.
3 de 6 Publications
Tamara Mackay-Temesy covers a variety of key practical privacy by design and default issues to consider during the design process.
5 de 6 Publications
Jo Joyce looks at the ICO's recently finalised Age Appropriate Design Code.
6 de 6 Publications
Retour