Key References:
- GDPR Art. 25
- Recital 78
- New legal requirement
- Technical and organisational measures
- EDPB Guidelines 4/2019 on Data Protection by Design and by Default
A. Data Protection by Design:
Background: A methodology developed by the Information and Privacy Commissioner of Ontario, Canada, consisting of seven (7) fundamental principles that help embed privacy in products and services during the design phase. The goal is respect data subjects’ privacy rights, and anticipate and prevent privacy violations before they occur.
- Proactive not Reactive; Preventative not Remedial
- Privacy as the Default Setting
- Privacy Embedded into Design
- Full functionality — Positive-Sum, not Zero-Sum
- End-to-end security — Full Lifecycle Protection
- Visibility and Transparency — Keep it Open
- Respect for User Privacy — Keep it User-Centric
GDPR and Data protection by design: Requires controllers and processors to adopt internal policies to integrate or ‘bake in’ privacy and data protection during product/service design or processing stages as an Accountability principle of the GDPR.
B. Data Protection by Default:
- Linked to Data Minimisation and Purpose Limitation principles of the GDPR.
- Privacy as a default setting (user to be given opt-in requirements, not opt-out).
- Minimize processing of personal data (collect only necessary data).
- Pseudonymize personal data (security).
- Transparency on functions and processing of personal data (easy to locate and read Privacy policies, internal DPIAs).
- Enable data subject to monitor processing (respect data subject rights under GDPR Chapters 3-4).
C. Art. 25(3) Certification:
- GDPR Article 25(3) states: “An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.”
- No Certification mechanism available as of now.
EDPB Guidelines 4/2019 on Article 25 Data Protection by Design and by Default
