European Data Protection Board Guidelines: Data Protection by Design and by Default
The European Data Protection Board (EDPB) has adopted new Guidelines 4/2019 on Article 25: Data Protection by Design and by Default (DPbDD) for consultation purposes. The closing date for responses is 16 January 2020.
The Guidelines give general guidance on the obligation of DPbDD imposed on controllers under Article 25 of the General Data Protection Regulation ((EU) 2016/679) (GDPR). Article 25 makes controllers responsible for effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This requires that controllers implement appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects. Article 25 also requires that, by default, only personal data which is necessary for each specific purpose of the processing is then processed.
The European Data Protection Board (EDPB), established by the GDPR, is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. Formerly known as the Article 29 Working Party, the EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS).
An important point to remember is that unfortunately data protection compliance is not a tick box exercise and interpretation of the GDPR in practice can become a compliance head-ache. As many of us appreciate, DPbDD means different things to different organisations and there is an element of “you’ll know it when you see it” when deciding what compliance measures to adopt. This is coupled with the fact that EDPB guidance does have a tendency to be quite theoretical.
In light of above, it is no surprise that this is the case here with the adoption of the DPbDD Guidelines for public consultation. It remains to be seem how much assistance the Guidelines will actually offer to businesses attempting to achieve Article 25 compliance, when what is often wanted is more practical advice. That being said, one or two more helpful practical points are expanded on by the Guidelines.
The Guidelines provide examples on how to apply DPbDD in the context of specific data protection principles. For example, one such principle addressed by the Guidelines is the principle requiring controllers to:
- implement appropriate technical and organisational measures which are designed to implement the data protection principles; and
- integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
The Guidelines suggests that the term “appropriate” means that the measures adopted must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects and therefore is closely related to the requirement of effectiveness. The Guidelines acknowledge that this can be anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customer data.
In relation to effective safeguards, the Guidelines note that:
“Enabling data subjects to intervene in the processing, providing automatic and repeated information about what personal data is being stored, or having a retention reminder in a data repository may be examples of necessary safeguards. Another may be implementation of a malware detection system on a computer network or storage system in addition to training employees about phishing and basic “cyber hygiene”. An example of a technical measure or safeguard is pseudonymization of personal data.”
The Guidelines also address the possibility to establish a certification mechanism to demonstrate compliance with Article 25 DPbDD. It is acknowledged that adherence to an approved certification program will help demonstrate that an organization integrated data protection into its data processing by design and by default.
We are now over a year on from the date when the GDPR came into effect back in May 2018 and both the UK ICO and the EDPB are turning their attentions to the practical implementation of the GDPR as organisations roll out their data protection compliance programs.
Although the Guidelines are aimed at controllers, it highlights that processors and technology providers may also find the Guidelines useful in creating GDPR-compliant products and services.
In August 2019 the ICO noted that it too is intending to publish detailed guidance on data protection by design and privacy enhancing technologies, and how these concepts apply in the context of the ICO’s new Age Appropriate Design Code of Practice. ICO guidance, which of itself is not perfect, is likely to be more practical and so we will wait to see what the ICO’s approach will be here.
The new Age Appropriate Design Code of Practice aims to translate the requirements of the GDPR, in particular its rules on how data can be used and the importance of protecting children, into design standards for online services. The ICO recognises at as designers and developers understand what is expected of them, there may be shifts in the design processes for online services which make greatest use of children’s data.
On Friday 22 November the ICO submitted the final version of the Age Appropriate Design Code of Practice to the Secretary of State in accordance with the statutory deadline. The Code will be laid before parliament once the new government has been formed following the upcoming General Election.
When can you set off claims against different elements of a project
The Court’s decision raises important drafting considerations for construction contracts involving multiple elements of a project.
Drafting terms and conditions or negotiating a contract? Be wary of "unusual" and "exorbitant" exclusion clauses
When drafting a set of terms and conditions, companies must adhere to the requirements contained in the Unfair Contract Terms Act 1977
Stop, collaborate and listen: Top 10 Tips with Collaboration Agreements
Providing you with the top ten tips on collaboration agreements - what should you know?
Fiona Edmond and Mark Smith write for Property Week on data centres as an infrastructure asset class
The complexity of operational issues is something those new to the sector may not anticipate and interest is likely to increase.
Preparing your company for sale
We set out here some initial steps to consider in anticipation of a sale.
ESG investment and the challenges for trustees
What challenges does the ESG revolution present for trustees of private family trusts?
The impact of COVID-19 on commercial and residential tenancies
What impact has COVID-19 had on commercial and residential tenancies? Read more here.
Charles Russell Speechlys advises discoverIE on its acquisition of Antenova
discoverIE is a leading international designer, manufacturer and supplier of customised electronics to industry.
Q&A: Separate blocks, common parts and enfranchisement
Miriam Seitler and Lauren Fraser answer queries relating to leaseholders seeking to acquire the freehold.
Coded messages for landlords and tenants
“What does the code of practice mean for landlords and tenants? Read more here”
The family court’s role in micro managing 'trivial' disputes
The recent decision has dealt with the family court’s role in micro managing “trivial” disputes in relation to children
Gareth Mills writes for Lexology Getting The Deal Through on technology disputes in Bahrain
The most common disputes occur following perceived or actual failures to deliver required technology services an lack of clarity.
Taxing horizons and fiscal black holes
A super-massive black hole at the centre of the nation’s finances means that tax reform and rates rises look increasingly likely.
Charles Russell Speechlys advises Acora on acquisition of Westgate IT
Westgate IT specialises in providing IT support to businesses in the South West.
Jason Saiban writes for Food Manufacture on the food industry's climate change challenge
The key challenge will be how the environmental targets are actually met.
Q&A: Wrestling with restrictive covenants
Camilla Lamont (barrister at Landmark Chambers) and Real Estate Disputes Partner Emma Humphreys answer a pair of covenant queries
Charles Russell Speechlys advises Grape Paradise on the acquisition of a fine wine business
Charles Russell Speechlys has advised Grape Paradise on the acquisition of the Sarment Group in the China Mainland territories.
Grab the tail by the horns - Why is tail spend so critical in today’s outsourced portfolio?
It’s usually invisible, but in all likelihood, you’ve got tail spend.
Olivia Crane writes for The Grocer on the importance of robust data protection policies for checkout-less stores
The ‘personal data footprint’ created by this type of service and technology isn’t something that should be overlooked.
eCommerce and the Post-Brexit State of Play
Key UK and EU legislation governing how online platforms deal with consumers and their business users.