Data Protection By Design and By Default in GDPR

Intro

The scope of this section is to introduce the reader to Data Protection “By Design” and “By Default”, which are specifically and formally established with art. 25 of the GDPR. Since the Regulation is striving to established a proactive approach, where data protection issues are identified and are tackled in the early stages of the development of any solution that processes personal data, these two notions mark the obligation of data controllers to design systems using the most privacy friendly approach and the state of the art in the fields of personal data protection.
At the end of the study, the reader is expected to:
  • Understand the significance of Data Protection by Design

  • Understand the main parameters that should be taken into account when deciding on what measures should be designed to implement data protection principles

  • Able to understand the significance of documentation through appropriate tools/policies

  • Identify the important role of solution providers for the proper implementation of data protection principles

  • Understand what data protection by default is and the relation with data protection by design

Key Messages

  • The GDPR provides for the “Data Protection by Design” approach, that ensures that data protection principles, are effectively integrated into any processing system

    • This provision directly affects system producers/developers

  • A risk based approach is, once again, taken, where decisions should based on:

    • State of the art

    • Cost of implementation

    • Nature, scope, context and purpose of processing

    • Risks for rights and freedoms

  • Data Protection by Design is much broader that ICT Security

  • Data Protection by Design and by Default, should be integrated in the life cycle of their development of any processing solution.

  • Data controllers are obliged to be able to demonstrate how the measures they implement effectively respect data protection principles

    • Proper documentation is required

  • Data Processors and solution producers/providers are key enablers of Data Protection by Design

    • Although the “Data protection by design” obligation lies with the Data Controllers, its decisions on which processor/producer to use is expected to be heavily influenced by “Data Protection by Design” readiness of each processor/producer.

  • The default settings of any processing solution should ensure that personal data are not made accessible without the individual's intervention to an indefinite number of natural persons

  • The obligation for data protection by default is closely interlinked with the one on data protection by design

See relevant slides

General References

  1. European Data Protection Board, “Guidelines 4/2019 on Article 25 Data Protection by Design and by Default”, adopted in 2020.

  2. Datatilsynet - Norwegian Supervisory Authority - Software development with Data Protection by Design and by Default

  3. EDPS - EDPS Preliminary Opinion on Privacy by Design