European Data Protection Board Guidelines: Data Protection by Design and by Default
The European Data Protection Board (EDPB) has adopted new Guidelines 4/2019 on Article 25: Data Protection by Design and by Default (DPbDD) for consultation purposes. The closing date for responses is 16 January 2020.
The Guidelines give general guidance on the obligation of DPbDD imposed on controllers under Article 25 of the General Data Protection Regulation ((EU) 2016/679) (GDPR). Article 25 makes controllers responsible for effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This requires that controllers implement appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects. Article 25 also requires that, by default, only personal data which is necessary for each specific purpose of the processing is then processed.
The European Data Protection Board (EDPB), established by the GDPR, is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. Formerly known as the Article 29 Working Party, the EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS).
An important point to remember is that unfortunately data protection compliance is not a tick box exercise and interpretation of the GDPR in practice can become a compliance head-ache. As many of us appreciate, DPbDD means different things to different organisations and there is an element of “you’ll know it when you see it” when deciding what compliance measures to adopt. This is coupled with the fact that EDPB guidance does have a tendency to be quite theoretical.
In light of above, it is no surprise that this is the case here with the adoption of the DPbDD Guidelines for public consultation. It remains to be seem how much assistance the Guidelines will actually offer to businesses attempting to achieve Article 25 compliance, when what is often wanted is more practical advice. That being said, one or two more helpful practical points are expanded on by the Guidelines.
The Guidelines provide examples on how to apply DPbDD in the context of specific data protection principles. For example, one such principle addressed by the Guidelines is the principle requiring controllers to:
- implement appropriate technical and organisational measures which are designed to implement the data protection principles; and
- integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
The Guidelines suggests that the term “appropriate” means that the measures adopted must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects and therefore is closely related to the requirement of effectiveness. The Guidelines acknowledge that this can be anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customer data.
In relation to effective safeguards, the Guidelines note that:
“Enabling data subjects to intervene in the processing, providing automatic and repeated information about what personal data is being stored, or having a retention reminder in a data repository may be examples of necessary safeguards. Another may be implementation of a malware detection system on a computer network or storage system in addition to training employees about phishing and basic “cyber hygiene”. An example of a technical measure or safeguard is pseudonymization of personal data.”
The Guidelines also address the possibility to establish a certification mechanism to demonstrate compliance with Article 25 DPbDD. It is acknowledged that adherence to an approved certification program will help demonstrate that an organization integrated data protection into its data processing by design and by default.
We are now over a year on from the date when the GDPR came into effect back in May 2018 and both the UK ICO and the EDPB are turning their attentions to the practical implementation of the GDPR as organisations roll out their data protection compliance programs.
Although the Guidelines are aimed at controllers, it highlights that processors and technology providers may also find the Guidelines useful in creating GDPR-compliant products and services.
In August 2019 the ICO noted that it too is intending to publish detailed guidance on data protection by design and privacy enhancing technologies, and how these concepts apply in the context of the ICO’s new Age Appropriate Design Code of Practice. ICO guidance, which of itself is not perfect, is likely to be more practical and so we will wait to see what the ICO’s approach will be here.
The new Age Appropriate Design Code of Practice aims to translate the requirements of the GDPR, in particular its rules on how data can be used and the importance of protecting children, into design standards for online services. The ICO recognises at as designers and developers understand what is expected of them, there may be shifts in the design processes for online services which make greatest use of children’s data.
On Friday 22 November the ICO submitted the final version of the Age Appropriate Design Code of Practice to the Secretary of State in accordance with the statutory deadline. The Code will be laid before parliament once the new government has been formed following the upcoming General Election.
Sponsor Licence Compliance: Key considerations & how to be audit ready
Join us for the third in our series of mini webinars on post Brexit immigration about sponsor licence compliance.
The Future of Property Careers
Join to our panel discussion and Q&A with industry leaders on the range of opportunities within the property and construction sector.
Data Protection: All roads lead back to the GDPR
Across the globe, jurisdictions continue to develop their data protection and privacy laws.
New tax on property developers - consultation paper published
The government published a consultation paper on the design of the new residential property developers tax.
Procuring modular housing: Is MMC becoming mainstream?
Is Modern Methods of Construction becoming mainstream? Read what it means for Development and Procurement here.
Dual class share structures: how do they work and what are the pros and cons?
Dual class share structures allow a shareholder, for example the founder, to retain voting control over a company.
Q&A: Talking the telecoms talk
Georgina Muskett and Jonathan Wills answer queries on Electronic Communications Code agreement.
Property Patter: Navigating the complexities of Pharmacy Property
Pharmacy property is a specialist area which contains many traps for the unwary.
COVID-19 Vaccination – can an employer make it compulsory for employees?
We review what legal issues to take into account when considering to make vaccination compulsory as an employer.
Music to our ears? Well, perhaps not for Apple.
A feud first began when the music streaming giant, Spotify, filed a complaint against music streaming provide rand competitor, Apple Inc.
Linking ESG and Executive Pay
How does a business go about embedding a focus on strong ESG performance into the structures and culture of its organisation?
National Security and Investment Act granted Royal Assent
The Act establishes a new regime for the review of mergers, acquisitions and other transactions that could threaten national security.
Recent Trends In Firewall Legislation: BVI, Bermuda And Gibraltar
Charles Russell Speechlys advises Waverton on acquisition of Cornerstone Asset Management
Established in July 2010 and with offices in Edinburgh and Glasgow, Cornerstone offers wealth management and financial planning advice.
What do the new Debt Respite Scheme Regulations mean for Landlords and Tenants?
This will provide legal protection from creditors in the form of either a breathing space or a mental health crisis moratorium.
Charles Russell Speechlys promotes five to Partner
The promotions are effective 1 May 2021 and are accompanied by one Legal Director and 15 Senior Associate promotions.
Risk allocation in commercial leases: the High Court considers rent suspension, insurance and frustration arguments
Read our summary of the full judgement on the latest Covid arrears case.
Charles Russell Speechlys boosts private wealth offering with the hire of an international tax team
Robert Reymond will be joined at the firm by Leigh Nicoll, Emma Tyrrell and Oliver Cooper.
Proposed Takeover Code Amendments – Key Changes
The Consultation Paper has now been followed by a corresponding response paper which made certain modifications to the initial proposals.
Competition and Markets Authority announces review of the EU vertical agreements block exemption
The UK Competition and Markets Authority is reviewing the future application of the EU vertical agreements block exemption in the UK.