EDPB Publishes Guidelines on Data Protection by Design and by Default

By Matthew Buckwell, Ruth Boardman, Ariane Mole

11-2019

On 20 November 2019, the European Data Protection Board (“EDPB”) published its draft guidelines on the principles of Data Protection by Design and Default (the “Guidelines”) under Article 25 of the EU General Data Protection Regulation (“GDPR”). The Guidelines were adopted on 13 November 2019 in the EDPB’s fifteenth plenary session. They give general guidance on the interpretation of the obligations of data protection by design and by default. In addition to covering these principles, the Guidelines also cover certification mechanisms for demonstrating compliance with Article 25 GDPR and enforcement by supervisory authorities.

The Guidelines are designed to apply to data controllers, but the EDPB notes that: “Other actors, such as processors and technology providers, who are not directly addressed in Article 25, may also find [the] Guidelines useful in creating GDPR-compliant products and services that enable controllers to fulfil their data protection obligations.”

1. Data Protection by Design

Article 25(1) of the GDPR places two key obligations on data controllers when designing products and services, namely to:

(1) implement appropriate technical and organisational measures that are designed to implement the data protection principles (as set out in Article 5 of the GDPR); and

(2) integrate necessary safeguards into the processing in order to meet the requirements of the GDPR and protect the rights of data subjects (as set out in Articles 12 -22 of the GDPR).

The Guidelines confirm that these obligations must be considered both at the time of determining the means of processing (the architecture, procedures, protocols, layout and appearance) and at the time of the processing itself (including over the course of the processing activities).

Technical and Organisational Measures

The EDPB considers that:

“A technical or organisational measure can be anything from the use of advanced technical solutions to the basic training of personnel, for example on how to handle customer data.”

These measures do not therefore need to involve the use of the very latest (and most expensive) technology and could, for example, include the use of pseudonymisation.

The Guidelines emphasise that the measures must be implemented in an effective manner, which means that generic measures may not be sufficient. The measures must be targeted and have an actual effect. The Guidelines suggest that key performance indicators and quantitative and qualitative metrics can  assist with demonstrating compliance.

Safeguards

The EDPB considers that appropriate measures and necessary safeguards are meant to serve the same purpose, but that safeguards act as a second tier to secure data subjects’ rights and freedoms in the processing.

Safeguards should be designed to ensure the effectiveness of the measures implementing the principles throughout the life-cycle of the processing activities. The EDPB provided some examples of what these safeguards may be, including:

(1) enabling data subjects to intervene in the processing;

(2) providing automatic and repeated information about what personal data is being stored;

(3) having a retention reminder in a data repository;

(4) malware detection system on a computer network or storage system;

(5) training employees about phishing and basic “cyber hygiene”.

State of the Art

Whilst there is no requirement to use cutting edge technology, the measures adopted should take account of the “state of the art”. This requires that controllers stay up to date on technological progress and also on relevant organisational measures. As a result, using security software with known vulnerabilities or that are out of date would likely not be considered measures that take account the state of the art.

Cost

Article 25(1) of the GDPR does allow for the cost of implementation to be taken into consideration when determining the appropriateness of the measures to be used. The Guidelines clarify that this cost should be considered in a wider sense than simple monetary cost and should also include the time and human resource cost. The EDPB also cautions that it is the implementation cost of the measures that must be taken into account, but notes that the implementation and maintenance of the “state of the art” may also be of significance when considering the cost of implementation, although how this would work in practice is not clear.

Nevertheless, the controller is required to plan for and expend the costs necessary for the effective implementation of all of the principles in the GDPR. The EDPB is unequivocal when it states:

“Incapacity to bear the costs is no excuse for non-compliance with the GDPR.”

However, the EDPB also cautions that simply because the technology is expensive does not mean that it necessarily leads to effective implementation of the principles and the controller must manage the costs to be able to effectively implement all of the principles.

The final considerations set out in Article 25(1) of the GDPR are to consider the:

  • nature -  i.e. the inherent characteristics of the processing;
  • scope - the size and range of the processing;
  • context - the circumstances of the processing, which may influence the expectations of the data subject; and
  • impact – the impact the processing will have on the rights and freedoms of the data subjects (contained in Articles 12 -22 and in the EU Charter of Fundamental Rights and Recital 4). The Guidance suggests that when performing the risk analysis for compliance with Article 25 of the GDPR, the controller should identify the risks and determine their likelihood and severity, taking into account the guidance from the EDPB on Data Protection Impact Assessments and also relevant best practices and standards.

2. Data Protection by Default

Article 25(2) requires that controllers implement data protection by default. This means that the decisions made by the controller on the basic configuration of the processing should be made with data protection considerations in mind. According to the Guidelines, this basic configuration includes:

“the value or processing option that is assigned in a software application, computer program or device that has the effect of adjusting, in particular but not limited to, the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility.”

Default settings on products and software should be those that provide data protection by default. Any changes to these settings would therefore require the intervention of the user (or, in our view, possibly in some cases, the employer of the user) The Guidelines specify that these basic data protection settings should apply "out of the box" and be the same on all instances of the device, service or model.

The same considerations apply to the organisational measures supporting processing operations, which  should be designed to process only the minimum amount of personal data necessary.

The technical and organisational measures should meet the considerations discussed above under the data protection by design principle, but with the principle of minimisation in mind.  The measures must by default be appropriate to ensure that only personal data which are necessary for each specific purpose of processing are being processed.

The Guidelines also specify that data protection by default needs to apply to the following elements of the processing:

  • amount of personal data collected – only the personal data that is necessary should be collected. The EDPB classifies that this should be considered in a qualitative and quantitative sense, so that the types and categories of data collected should also be considered as part of data minimisation.
  • extent of processing – the operations conducted on personal data should also be limited to what is necessary. The EDPB also cautioned that “Controllers should also be careful not to extend the boundaries of “compatible purposes”, and have in mind what processing will be within the reasonable expectations of data subjects”.
  • period of storage - personal data should be deleted or anonymised by default when it is no longer needed.
  • accessibility - the controller should also put in place access controls so that the only individuals that can access the personal are those for which it is necessary.  The Guidelines also called out the requirement in Article 25(2) that personal data should not be made accessible to an indefinite number of natural persons without the individual’s intervention. As a result, the controller must, by default, limit accessibility and consult with the data subject before publishing or otherwise making available personal data about the data subject to an indefinite number of natural persons. However, the method for intervention may depend on the lawful basis for processing.

3. Application and the Principles

The Guidelines also contain practical guidance on how to effectively implement each of the data protection principles set out in Article 5(1) of the GDPR. These 'key design and default elements' are replicated from the Guidelines in the table at the end of this article and should be read in conjunction with the specific examples set out in the Guidelines.

4. Certification

The Guidelines reiterate that processing operations may be certified for compliance with Article of the GDPR and that this certification may provide an added value to a controller when choosing between different processing systems from technology providers. The EDPB also considers that a data protection seal may also provide a guide for data subjects in their choice between different goods and services.

5. Next Steps

The consultation on these draft Guidelines will end on 16 January 2020, after which the EDPB will consider any comments provided and update the Guidelines if necessary.

 Principle   Key design and default elements 
     
 Transparency  
  • Clarity – Information shall be in clear and plain language, concise and intelligible.
  • Semantics – Communication shall have a clear meaning to the audience in question.
  • Accessibility - Information shall be easily accessible for the data subject.
  • Contextual – Information shall be provided at the relevant time and in the appropriate form.
  • Relevance – Information shall be relevant and applicable to the specific data subject.
  • Universal design – Information shall be accessible to all, include use of machine readable languages to facilitate and automate readability and clarity.
  • Comprehensible – Data subjects shall have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups.
  • Multi-channel – Information should be provided in different channels and media, beyond the textual, to increase the probability for the information to effectively reach the data subject
     
 Lawfulness  
  • Relevance – The correct legal basis shall be applied to the processing
  • Differentiation – The controller shall differentiate between the legal basis used for each processing activity
  • Specified purpose - The appropriate legal basis must be clearly connected to the specific purpose of processing.
  • Necessary – Processing must be necessary for the purpose to be lawful. It is an objective test which involves an objective assessment of realistic alternatives of achieving the purpose.
  • Autonomy – The data subject should be granted the highest degree of autonomy as possible with respect to control over personal data.
  • Consent withdrawal – The processing shall facilitate withdrawal of consent. Withdrawal shall be as easy as giving consent. If not, any given consent is not valid.
  • Balancing of interests – Where legitimate interests is the legal basis, the controller must carry out an objectively weighted balancing of interests. There shall be measures and safeguards to mitigate the negative impact on the data subjects, and the controller should disclose their assessment of the balancing of interests.
  • Predetermination – The legal basis shall be established before the processing takes place.
  • Cessation – If the legal basis ceases to apply, the processing shall cease accordingly.
  • Adjust – If there is a valid change of legal basis for the processing, the actual processing must be adjusted in accordance with the new legal basis.
  • Default configurations – Processing must be limited to what the legal basis strictly gives grounds for.
  • Allocation of responsibility – Whenever joint controllership is envisaged, the parties must apportion in a clear and transparent way their respective responsibilities vis-à-vis the data subject
     
 Fairness  
  • Autonomy – Data subjects shall be granted the highest degree of autonomy possible with respect to control over their personal data.
  • Interaction – Data subjects must be able to communicate and exercise their rights with the controller.
  • Expectation – Processing should correspond with data subjects’ expectations.
  • Non-discrimination – The controller shall not discriminate against data subjects.
  • Non-exploitation – The controller shall not exploit the needs or vulnerabilities of data subjects.
  • Consumer choice – The controller should not “lock in” their users. Whenever a service or a good is personalized or proprietary, it may create a lock-in to the service or good. If it is difficult for the data subject to change controllers due to this, which may not be fair.
  • Power balance – Asymmetric power balances shall be avoided or mitigated when possible. Controllers should not transfer the risks of the enterprise to the data subjects.
  • Respect rights and freedoms – The controller must respect the fundamental rights and freedoms of data subjects and implement appropriate measures and safeguards to not violate these rights and freedoms.
  • Ethical – The controller should see the processing’s wider impact on individuals’ rights and dignity.
  • Truthful – The controller must act as they declare to do, provide account for what they do and not mislead the data subjects.
  • Human intervention – The controller must incorporate qualified human intervention that is capable of recovering biases that machines may create in relation to the right to not be subject to automated individual decision making in Article 22.
  • Fair algorithms – Information shall be provided to data subjects about processing of personal data based on algorithms that analyse or make predictions about them, such as work performance, economic situation, health, personal preferences, reliability or behaviour, location or movements.
     
Purpose Limitation  
  • Predetermination – The legitimate purposes must be determined before the design of the processing.
  • Specificity – The purposes must be specific to the processing and make it explicitly clear why personal data is being processed.
  • Purpose orientation – The purpose of processing should guide the design of the processing and set processing boundaries.
  • Necessity – The purpose determines what personal data is necessary for the processing.
  • Compatibility – Any new purpose must be compatible with the original purpose for which the data was collected and guide relevant changes in design.
  • Limit further processing – The controller should not connect datasets or perform any further processing for new incompatible purposes.
  • Review – The controller must regularly review whether the processing is necessary for the purposes for which the data was collected and test the design against purpose limitation.
  • Technical limitations of reuse – The controller should use technical measures, including hashing and cryptography, to limit the possibility of repurposing personal data.
     
 Data Minimisation  
  • Data avoidance - Avoid processing personal data altogether when this is possible for the relevant purpose.
  • Relevance – Personal data shall be relevant to the processing in question, and the controller shall be able to demonstrate this relevance.
  • Necessity – Each personal data element shall be necessary for the specified purposes and should only be processed if it is not possible to fulfil the purpose by other means.
  • Limitation – Limit the amount of personal data collected to what is necessary for the purpose
  • Aggregation – Use aggregated data when possible.
  • Pseudonymisation – Pseudonymise personal data as soon as it is no longer necessary to have directly identifiable personal data, and store identification keys separately.
  • Anonymization and deletion – Where personal data is not, or no longer necessary for the purpose, personal data shall be anonymized or deleted.
  • Data flow – The data flow shall be made efficient enough to not create more copies, or entry points for data collection than necessary. 
  • “State of the art” – The controller should apply available and suitable technologies for data avoidance and minimisation. 
 
     
 Accuracy  
  • Data source – Data sources should be reliable in terms of data accuracy.
  • Degree of accuracy – Each personal data element shall be as accurate as necessary for the specified purposes.
  • Measurably accurate - Reduce the number of false positives/negatives.
  • Verification – Depending on the nature of the data, in relation to how often it may change, the controller should verify the correctness of personal data with the data subject before and at different stages of the processing.
  • Erasure/rectification – The controller must erase or rectify inaccurate data without delay.
  • Accumulated errors – Controllers must mitigate the effect of an accumulated error in the processing chain.
  • Access – Data subjects should be given an overview and easy access to personal data in order to control accuracy and rectify as needed.
  • Continued accuracy – Personal data should be accurate at all stages of the processing; tests of accuracy should be carried out at critical steps.
  • Up to date – Personal data shall be updated if necessary for the purpose.
  • Data design - Use of technological and organisational design features to decrease inaccuracy, e.g. drop down lists with limited values, internal policies, and legal criteria.
 
     
 Storage Limitation  
  • Deletion – The controller must have clear internal procedures for deletion 
  • Automation – Deletion of certain personal data should be automated 
  • Storage criteria – The controller must determine what data and length of storage is necessary for the purpose. 
  • Enforcement of retention policies – The controller must enforce internal retention policies and conduct tests of whether the organization practices its policies. 
  • Effectiveness of anonymization/deletion - The controller shall make sure that it is not possible to re-identify anonymized data or recover deleted data, and should test whether this is possible
  • Disclose rationale – The controller must be able to justify why the period of storage is necessary for the purpose, and disclose the rationale behind the retention period
  • Data flow – Controllers must beware of and seek to limit “temporary” storage of personal data
  • Backups/logs – Controllers must determine which personal data and length of storage is necessary for back-ups and logs.
 
     
 Integrity and Confidentiality  
  • Information security management system (ISMS) – Have an operative means of managing policies and procedures for information security. For some controllers, this may be possible with the help of an ISMS.
  • Risk analysis – Assess the risks against the security of personal data and counter identified risks
  • Resilience – The processing should be robust enough to withstand changes, regulatory demands, incidents and cyber attacks
  • Access management – Only authorized personnel shall have access to the data necessary for their processing tasks
  • Secure transfers – Transfers shall be secured against unauthorized access and changes
  • Secure storage – Data storage shall be secure from unauthorized access and changes
  • Backups/logs – Keep back-ups and logs to the extent necessary for information security, use audit trails and event monitoring as a routine security control
  • Special protection – Special categories of personal data should be protected with adequate measures and, when possible, be kept separated from the rest of the personal data
  • Pseudonymisation – Personal data and back-ups/logs should be pseudonymised as a security measure to minimize risks of potential data breaches, for example using hashing or encryption
  • Security incident response management – Have in place routines and procedures to detect, handle, report and learn from data breaches
  • Personal data breach handling - Integrate management of notification (to the supervisory authority) and information (to data subjects) obligations in the event of a data breach into security incident management procedures
  • Maintenance and development – Regular review and test software to uncover vulnerabilities of the systems supporting the processing