The Spanish Data Protection Agency has published a guide to facilitate the application of the privacy by design principle

Written By

paula garralon Module
Paula Garralon

Senior Associate
Spain

I am associate in the Bird & Bird's Commercial and Privacy & Data Protection department in the Madrid office.

The General Data Protection Regulation (EU) 2016/679, established data protection by design and by default (PbD) as a legal obligation that every data controller must comply with. Implementing this principle in practice may be a complicated task, given its generic nature and the difficulty of finding technological solutions that truly turn privacy into an integral part of companies' products and/or services.

It is a highly practical document that begins defining the foundational principles of PbD:

  1. Proactive not Reactive; Preventative not Remedial
  2. Privacy as the Default
  3. Privacy Embedded into Design
  4. Full Functionality – Positive-Sum, not Zero-Sum
  5. End-to-End Security – Lifecycle Protection
  6. Visibility and Transparency
  7. Respect for User Privacy
It continues explaining that the PbD must be seen as a comprehensive sum of risk approach and proactive accountability, and in addition to the security risks (confidentiality, integrity and availability), it adds three new protection objectives: i) unlinkability, ii) transparency and iii) intervenability.

These six protection objectives constitute an overall framework of protection in the processing of personal data and determine, as a result of an assessment of the risks involved, other non-functional attributes or requirements to be met by the system which become the gateways to privacy by design processes.

Following the results of the risk assessment, controllers must use privacy engineering which is the use of engineering knowledge and techniques to systematically address risks associated with planned and authorized functioning of systems that collect, use and disclose personal information. In order to better understand this concept, the guide explains what Privacy Design Strategies, Design Patterns and Privacy Enhancing Technologies are and includes an extensive list of different strategies for the practice.

Ensuring privacy and establishing a governance framework that guarantees the protection of personal data does not represent an obstacle to innovation. Quite the opposite, it offers advantages and opportunities for all participants (controllers, suppliers, product and application developers, device manufacturers and data subjects).

Latest insights

More Insights
Colourful building

Fintech Features - October 2024

Oct 11 2024

Read More
Pills lined up on blue background

Feeling unwell after the CJEU’s Lindenapotheke decision?

Oct 10 2024

Read More
flower

AI - Litigation Risks in the UK & the EU

Oct 10 2024

Read More