European Data Protection Board Guidelines: Data Protection by Design and by Default

The European Data Protection Board (EDPB) has adopted new Guidelines 4/2019 on Article 25: Data Protection by Design and by Default (DPbDD) for consultation purposes. The closing date for responses is 16 January 2020.

The Guidelines give general guidance on the obligation of DPbDD imposed on controllers under Article 25 of the General Data Protection Regulation ((EU) 2016/679) (GDPR). Article 25 makes controllers responsible for effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This requires that controllers implement appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects. Article 25 also requires that, by default, only personal data which is necessary for each specific purpose of the processing is then processed.

Background

The European Data Protection Board (EDPB), established by the GDPR, is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. Formerly known as the Article 29 Working Party, the EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS).
An important point to remember is that unfortunately data protection compliance is not a tick box exercise and interpretation of the GDPR in practice can become a compliance head-ache. As many of us appreciate, DPbDD means different things to different organisations and there is an element of “you’ll know it when you see it” when deciding what compliance measures to adopt. This is coupled with the fact that EDPB guidance does have a tendency to be quite theoretical.
In light of above, it is no surprise that this is the case here with the adoption of the DPbDD Guidelines for public consultation. It remains to be seem how much assistance the Guidelines will actually offer to businesses attempting to achieve Article 25 compliance, when what is often wanted is more practical advice. That being said, one or two more helpful practical points are expanded on by the Guidelines.

Key Themes

The Guidelines provide examples on how to apply DPbDD in the context of specific data protection principles. For example, one such principle addressed by the Guidelines is the principle requiring controllers to:

1. implement appropriate technical and organisational measures which are designed to implement the data protection principles; and
2. integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.

The Guidelines suggests that the term “appropriate” means that the measures adopted must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects and therefore is closely related to the requirement of effectiveness. The Guidelines acknowledge that this can be anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customer data.
In relation to effective safeguards, the Guidelines note that:

“Enabling data subjects to intervene in the processing, providing automatic and repeated information about what personal data is being stored, or having a retention reminder in a data repository may be examples of necessary safeguards. Another may be implementation of a malware detection system on a computer network or storage system in addition to training employees about phishing and basic “cyber hygiene”. An example of a technical measure or safeguard is pseudonymization of personal data.”

The Guidelines also address the possibility to establish a certification mechanism to demonstrate compliance with Article 25 DPbDD. It is acknowledged that adherence to an approved certification program will help demonstrate that an organization integrated data protection into its data processing by design and by default.

Practical Considerations

We are now over a year on from the date when the GDPR came into effect back in May 2018 and both the UK ICO and the EDPB are turning their attentions to the practical implementation of the GDPR as organisations roll out their data protection compliance programs.

Although the Guidelines are aimed at controllers, it highlights that processors and technology providers may also find the Guidelines useful in creating GDPR-compliant products and services.

In August 2019 the ICO noted that it too is intending to publish detailed guidance on data protection by design and privacy enhancing technologies, and how these concepts apply in the context of the ICO’s new Age Appropriate Design Code of Practice. ICO guidance, which of itself is not perfect, is likely to be more practical and so we will wait to see what the ICO’s approach will be here.

The new Age Appropriate Design Code of Practice aims to translate the requirements of the GDPR, in particular its rules on how data can be used and the importance of protecting children, into design standards for online services. The ICO recognises at as designers and developers understand what is expected of them, there may be shifts in the design processes for online services which make greatest use of children’s data.

On Friday 22 November the ICO submitted the final version of the Age Appropriate Design Code of Practice to the Secretary of State in accordance with the statutory deadline. The Code will be laid before parliament once the new government has been formed following the upcoming General Election.

For more information, please contact Christina on +44 (0)20 7427 1022 or at christina.fleming@crsblaw.com; or Jonathan McDonald on +44 (0)20 7427 6725 or at jonathan.mcdonald@crsblaw.com.