Article 25 GDPR Data Protection by Design and by Default
Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default
SECTION 6 CONCLUSIONS AND RECOMMENDATIONS
85. In an increasingly digital world, adherence to DPbDD requirements play a crucial part in promoting privacy and data protection in society. It is therefore essential that controllers take this responsibility seriously and implement the GDPR obligations when designing processing operations. Although not directly addressed in Article 25, processors and technology providers are also recognized as key enablers for DPbDD. They are in a position to identify the potential risks that the use of a system or service may entail, and are more likely to be up to date on technological developments. When processing on behalf of controllers, or providing solutions to controllers, technology providers should use their expertise and seize the opportunity to build trust and guide their customers in designing solutions that embed data protection into the processing. Processors and technology providers should also be aware that controllers are required to only process personal data with systems and technologies that have built-in data protection.
Recommendations
86. It should be kept in mind when implementing Article 25 that the main design objective is the effective implementation of the principles and the rights of data subjects into the processing. In order to facilitate and enhance the adoption of DPbDD, we recommend the following:
-
Controllers should think of DPbDD from the initial stages of planning a processing operation, even before the time of determination of the means of processing.
-
A processing operation may be certified for DPbDD. Such a certification may provide an added value to a controller when choosing between different processing systems from technology providers. A certification seal may also guide data subjects in their choice between different goods and services, such as applications, software, systems, Internet of Things, including wearables and implants. Having a DPbDD-seal can therefore serve as a competitive advantage for both technology providers and controllers, and may even enhance data subjects’ trust in the processing of their personal data. Where there is no certification, controllers should seek to have other guarantees that technology and service providers comply with the requirements of DPbDD.
-
Technology providers should seek to support controllers in complying with DPbDD. Controllers, on the other hand, should not choose providers who do not propose systems enabling the controller to comply with Article 25, because controllers will be held accountable for the lack of implementation thereof.
-
Technology providers should play an active role in ensuring that the criteria for the “state of the art” are met, and notify controllers of any changes to the “state of the art” that may affect the effectiveness of the measures they have in place. Controllers should include this requirement as a contractual clause to make sure they are kept up to date.
-
Controllers should take into account the cost element when choosing a provideror planning a technology or organisational practice or solution, and take into account the potential cost of monetary fines as a result of non-compliance with the GDPR. The controller should assess the factors contributing to the cost of a project, and find the actual costs of data protection, as opposed to the business costs of processing data. Ways to be more cost efficient are for example to simplify the organisation, leverage economies of scale or leverage economies of scope.
-
Technology providers should keep in mind that Article 25 requires cost of implementation to be taken into account in the design process. This means that when developing a solution, technology providers should also take cost efficiency into account during the development of that solution and implement principles in an effective manner. Controllers should demand that their technology providers are transparent and demonstrate the costs of developing the solution.
-
Controllers should always seek to effectively mitigate risk when observing data protection by design within the nature, scope and context of their processing operations, including when accounting for the related cost and state of the art of their chosen technical and organisational measures and safeguards.
-
The EDPB encourages technology providers to take the opportunity to use DPbDD as a competitive advantage in the market.
-
The EDPB recommends controllers to require that technology providers demonstrate accountability on how they have complied with DPbDD, for example by using key performance indicators to demonstrate the effectiveness of the measures and safeguards a timplementing the principles.
-
The EDPB emphasizes the need for a harmonized approach to implement principles in an effective manner and encourages associations or bodies preparing codes of conduct in accordance with Article 40 to also incorporate DPbDD.
-
Controllers should be fair to data subjects and transparent on how they assess and demonstrate effective DPbDD implementation, in the same manner as controllers demonstrate compliance with the GDPR under the principle of accountability.