Data Protection By Design and By Default in GDPR
Intro
Understand the significance of Data Protection by Design
Understand the main parameters that should be taken into account when deciding on what measures should be designed to implement data protection principles
Able to understand the significance of documentation through appropriate tools/policies
Identify the important role of solution providers for the proper implementation of data protection principles
Understand what data protection by default is and the relation with data protection by design
Key Messages
The GDPR provides for the “Data Protection by Design” approach, that ensures that data protection principles, are effectively integrated into any processing system
This provision directly affects system producers/developers
A risk based approach is, once again, taken, where decisions should based on:
State of the art
Cost of implementation
Nature, scope, context and purpose of processing
Risks for rights and freedoms
Data Protection by Design is much broader that ICT Security
Data Protection by Design and by Default, should be integrated in the life cycle of their development of any processing solution.
Data controllers are obliged to be able to demonstrate how the measures they implement effectively respect data protection principles
Proper documentation is required
Data Processors and solution producers/providers are key enablers of Data Protection by Design
Although the “Data protection by design” obligation lies with the Data Controllers, its decisions on which processor/producer to use is expected to be heavily influenced by “Data Protection by Design” readiness of each processor/producer.
The default settings of any processing solution should ensure that personal data are not made accessible without the individual's intervention to an indefinite number of natural persons
The obligation for data protection by default is closely interlinked with the one on data protection by design