European Data Protection Board Guidelines: Data Protection by Design and by Default
The European Data Protection Board (EDPB) has adopted new Guidelines 4/2019 on Article 25: Data Protection by Design and by Default (DPbDD) for consultation purposes. The closing date for responses is 16 January 2020.
The Guidelines give general guidance on the obligation of DPbDD imposed on controllers under Article 25 of the General Data Protection Regulation ((EU) 2016/679) (GDPR). Article 25 makes controllers responsible for effective implementation of the data protection principles and data subjects’ rights and freedoms by design and by default. This requires that controllers implement appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects. Article 25 also requires that, by default, only personal data which is necessary for each specific purpose of the processing is then processed.
Background
The European Data Protection Board (EDPB), established by the GDPR, is an independent European body, which contributes to the consistent application of data protection rules throughout the European Union, and promotes cooperation between the EU’s data protection authorities. Formerly known as the Article 29 Working Party, the EDPB is composed of representatives of the national data protection authorities, and the European Data Protection Supervisor (EDPS).
An important point to remember is that unfortunately data protection compliance is not a tick box exercise and interpretation of the GDPR in practice can become a compliance head-ache. As many of us appreciate, DPbDD means different things to different organisations and there is an element of “you’ll know it when you see it” when deciding what compliance measures to adopt. This is coupled with the fact that EDPB guidance does have a tendency to be quite theoretical.
In light of above, it is no surprise that this is the case here with the adoption of the DPbDD Guidelines for public consultation. It remains to be seem how much assistance the Guidelines will actually offer to businesses attempting to achieve Article 25 compliance, when what is often wanted is more practical advice. That being said, one or two more helpful practical points are expanded on by the Guidelines.
Key Themes
The Guidelines provide examples on how to apply DPbDD in the context of specific data protection principles. For example, one such principle addressed by the Guidelines is the principle requiring controllers to:
- implement appropriate technical and organisational measures which are designed to implement the data protection principles; and
- integrate the necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects.
The Guidelines suggests that the term “appropriate” means that the measures adopted must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects and therefore is closely related to the requirement of effectiveness. The Guidelines acknowledge that this can be anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customer data.
In relation to effective safeguards, the Guidelines note that:
“Enabling data subjects to intervene in the processing, providing automatic and repeated information about what personal data is being stored, or having a retention reminder in a data repository may be examples of necessary safeguards. Another may be implementation of a malware detection system on a computer network or storage system in addition to training employees about phishing and basic “cyber hygiene”. An example of a technical measure or safeguard is pseudonymization of personal data.”
The Guidelines also address the possibility to establish a certification mechanism to demonstrate compliance with Article 25 DPbDD. It is acknowledged that adherence to an approved certification program will help demonstrate that an organization integrated data protection into its data processing by design and by default.
Practical Considerations
We are now over a year on from the date when the GDPR came into effect back in May 2018 and both the UK ICO and the EDPB are turning their attentions to the practical implementation of the GDPR as organisations roll out their data protection compliance programs.
Although the Guidelines are aimed at controllers, it highlights that processors and technology providers may also find the Guidelines useful in creating GDPR-compliant products and services.
In August 2019 the ICO noted that it too is intending to publish detailed guidance on data protection by design and privacy enhancing technologies, and how these concepts apply in the context of the ICO’s new Age Appropriate Design Code of Practice. ICO guidance, which of itself is not perfect, is likely to be more practical and so we will wait to see what the ICO’s approach will be here.
The new Age Appropriate Design Code of Practice aims to translate the requirements of the GDPR, in particular its rules on how data can be used and the importance of protecting children, into design standards for online services. The ICO recognises at as designers and developers understand what is expected of them, there may be shifts in the design processes for online services which make greatest use of children’s data.
On Friday 22 November the ICO submitted the final version of the Age Appropriate Design Code of Practice to the Secretary of State in accordance with the statutory deadline. The Code will be laid before parliament once the new government has been formed following the upcoming General Election.
For more information, please contact Christina on +44 (0)20 7427 1022 or at christina.fleming@crsblaw.com; or Jonathan McDonald on +44 (0)20 7427 6725 or at jonathan.mcdonald@crsblaw.com.
Our thinking
Sarah Rowley
Charity Training series: Session 2
Join us for the second session in our Charity Training series where we will cover training for Charity Trustees and Senior Executives.
Sarah Rowley
Charity Training series: Session 1
Join us for the first session in our Charity Training series where we will discuss ESG for Charities.
Mark Howard
Charles Russell Speechlys advises Content+Cloud on the acquisition of award-winning service provider Azzure IT
Content+Cloud continues its growth journey, this is our 7th successful transaction for them.
Dominic Lawrance
Dominic Lawrance talks to Spear's Magazine about UK cryptocurrency tax
What HNWs should know about UK cryptocurrency tax
Sarah Keens
Being Green - The Struggle for Power
Everything you need to know about Green Leases
Rose Carey
Is the UK open for business? A discussion with the Home Office
We hosted an immigration webinar with the policymakers from the Home Office.
Louise Ward
Louise Ward writes for EG on what UK investors can gain from an overseas life sciences partner
What UK investors can gain from an overseas life sciences partner
Sonia Kenawy
Sonia Kenawy writes for New Law Journal on cryptocurrency and security for costs
Sonia Kenawy writes for New Law Journal on cryptocurrency and security for costs
David Haines
New Arbitration Scheme for Commercial Arrears goes live
Everything you need to know about the new Arbitration Scheme for Commercial Arrears
Charlotte Healy
Charlotte Healy and Katie Bewick write for Pharmacy Business on expert determination
Charlotte Healy and Katie Bewick write for Pharmacy Business on expert determination
Pei Li Kew
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Pei Li Kew writes for Pharmacy Business on the link between pharmacy and IP
Charlotte Duly
Charlotte Duly writes for CITMA Review on the China Tang trade mark infringement case
Charlotte Duly writes for CITMA Review on the China Tang trade mark infringement case
Mark Howard
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Charles Russell Speechlys advises Acora on its acquisition of Secrutiny
Oliver Park
Building Safety Act 2022
Everything you need to know about the Building Safety Act 2022
Jonathan McDonald
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Jonathan McDonald provides comment for City AM on the Data Reform Bill announced in the Queen's Speech
Claire Fallows
CoStar quotes Claire Fallows on the new infrastructure levy announced in the Queen's Speech
CoStar quotes Claire Fallows on the new infrastructure levy announced in the Queen's Speech
Nick White
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million
Charles Russell Speechlys advises Symphony Holdings Limited on the sale of its PONY trade mark portfolio for USD $28 million.
Simon Ridpath
Simon Ridpath featured in the Lawyer’s Hot 100 list
Simon Ridpath features in The Lawyer’s Hot 100 list
Mark Howard
Charles Russell Speechlys advises Europa Oil & Gas (Holdings) plc on its £7m equity fundraising
Europa Oil and Gas is a renewable energy, oil and gas development and production company.
Natalie Batra
Patents and Peppa Pig: What is happening to intellectual property rights in Russia?
Certain Russian individuals and businesses can now use patents, utility models and industrial designs without obtaining prior permission.