Implementing DP principles using Data Protection By Design - By Default ======================================================================= Intro ----- | Τhis material aims to provide practical guidance on how to implement data protection by design and by default in practice. | In particular, practical examples are provided, as well as known bad practices, in order to allow a system analyst/designer/developer to identify the main challenges towards ensuring the fulfilment of the aforementioned principles | (Recall that, although the data protection by design and by defaults are legal obligations for the data controllers, the role of system/product developers is crucial). | At the end of the study, the reader is expected to: * Understand the importance of data protection by design and by default * Be familiar with known problems/challenges to implement these principles * Be able to identify several pitfalls with respect to data protection by design and by default * Have knowledge of a proper guide towards implementing these principles Examples -------- * How to efficiently implement the principles of **transparency, lawfulness and fairness**? + Be careful on how accurate, clear and easily accesible/readable is the information provided to the users + Not vague formulations.... + Not dark patterns.... + Is any third party employed? - E.g. Do you implement an Android app that is based on third-party libraries? ⇒ `See relevant slides <_static/Appendix_3a.pdf>`__ * How to efficiently implement the principles of **purpose limitation, data minimisation and accuracy**? + Be careful on the purpose of the processing; having ("legally") the users' data does not allow making use of them for other purposes - Does the design exclude such an option? E.g. Is a connection between different datasets, for different purposes, not possible? + Are the data processed the minimum possible? - Be careful: Proper pseudonymisation may be prerequisite in some cases - Do you erroneously consider data as anonymous, but they are actually not? + Do you implement measures towards ensuring accuracy of data? - Are your sources trusted? - What about users with "similar/almost similar identifiers"? E.g. what about two different users named Mary Adams? ⇒ `See relevant slides <_static/Appendix_3b.pdf>`__ * How to efficiently implement the principles of **storage limitation and security of data**? + Is the retention time well-determined? If yes, is it ensured that it is implemented properly? - Be careful of what remains in temporary storage, backups etc. - Is data recovery indeed impossible? + Do you anonymise instead of delete? - Be careful: Data anonymisation is by itself a personal data processing - Not always an easy task: Is it ensured that the resulting data are indeed anonymous? + Are your decisions on security measures ad-hoc or relying on a systematic risk management? - Ad-hoc empirical decisions is not the proper way... - Even simply adopting the latest version of a security program/protocol is not adequate... - Always consider the weakest link in the security chain... ⇒ `See relevant slides <_static/Appendix_3c.pdf>`__ * What about data protection by default? + Which are the proper default settings? + Are any guiding questions to help in making the proper choice for the default settings? ⇒ `See relevant slides <_static/Appendix_3d.pdf>`__ General References ------------------ 1. `European Data Protection Board, "Guidelines 4/2019 on Article 25 Data Protection by Design and by Default", adopted in 2020. `_ 2. `European Union Agency for Cybersecurity, "Recommendations on shaping technology according to GDPR provisions - Exploring the notion of data protection by default'', 2019. `_ 3. `European Union Agency for Cybersecurity, "Recommendations on shaping technology according to GDPR provisions - An overview on data pseudonymisation'', 2019. `_ 4. `European Union Agency for Cybersecurity, "'Pseudonymisation techniques and best practices'', 2019. `_ 5. `European Union Agency for Cybersecurity, "Data Pseudonymisation: Advanced Techniques and Use Cases'', 2021. `_ 6. `European Union Agency for Cybersecurity, "Data Protection Engineering'', 2022. `_ 7. `European Union Agency for Cybersecurity, "Privacy and Data Protection by Design - From policy to Engineering'', 2014. `_