Privacy by design is one of the pillars of the GDPR, but how shall it be done in practice to comply with it fully? The EDPB guidelines on the topic support the assessment.
The title of one of my previous blog posts was, “The Internet of Things needs privacy by design“. At that time, I meant that in a regulatory environment where it is so uncertain what regulators require with evolving new technologies, such as the IoT, only a privacy by design approach can place a company on the safe foot of GDPR compliance. Indeed, being able to prove to
- have run all the tests and reviews necessary to ensure privacy compliance from the very beginning when a product/service is designed and
- have reached the reasonable conclusion that privacy is adequately protected
is crucial, especially in the light of the accountability principle that puts the burden of proving privacy compliance on the investigated party.
The EDPB guidelines on privacy by design under the GDPR and how they were originated
I updated this blog post following the publication of the guidelines on privacy by design and privacy by default of the European Data Protection Board.
Relevant support in determining the scope of privacy by design principles is given by the principles initially forged by the Ontario data protection authority, which is the father of the privacy by design approach. The EDPB has adopted similar principles in its guidelines. Below is a summary of the topic in my videoblog “Diritto al Digitale” in Italian and a detailed analysis in English:
1. Adopt a privacy by design proactive approach in the identification of privacy issues through appropriate measures
A policy shall be put in place under which
- any IT, marketing or other employee or consultant that is developing any product/service processing personal data within the company or on its behalf shall perform, from the very beginning of the designing of the product/service, a screening of the measures intended to be put in place to ensure privacy compliance, which is usually performed through a standard form attached to the policy;
- such screening shall be subject to an internal review of the same by all the other stakeholders of the company that will use or contribute to it, including the data protection officer or, in its absence, the internal/external privacy expert; and
- the review will escalate into a privacy impact assessment if the product/service is expected to pose high risks for the privacy of individuals or falls within the categories for which the PIA is required under the GDPR and
- if it appears that the processing through the product/service would result in a high risk in the absence of measures taken to mitigate it, a prior consultation with the competent data protection authority.
The above procedure shall be part of the company accountability policy which shall be outlined to employees and consultants through an ad hoc training or e-learning programs with final tests to be repeated at least yearly. This is to ensure that they are “educated” to ensure privacy compliance.
2. Embed privacy into the design
The same internal data protection policy referred above shall outline the requirements to be followed in the design of products/services from the very beginning, avoiding the frequent scenario where privacy compliance is reviewed only a few days before the launch when no change is possible. As mentioned above, this policy shall be notified to and accepted by employees/consultants that shall be educated to comply with it.
The European Data Protection Board emphasized that the adopted measures shall be “appropriate“, meaning that
they must be suited to achieve the intended purpose, i.e. they must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects.
Controllers must be able to demonstrate that they have implemented dedicated measures to protect these GDPR principles and that they have integrated specific safeguards that are necessary to secure the rights and freedoms of data subjects. It is, therefore, not enough to implement generic measures solely to document DPbDD-compliance; each implemented measure must have an actual effect.
The appropriateness of adopted measures can be demonstrated through key indicators that can be qualitative, quantitative or providing the rationale behind the assessment of the effectiveness of the chosen measures and safeguards. This last choice is, in my view, the most effective since other indicators can be challenged if not justified. Such an assessment shall consider, among others,
- the “state of the art” to be considered during the whole lifetime of the data processing activity, rather than just at the time of the launch;
- the “cost of implementation” in the sense that the controller must manage the costs to be able to effectively implement all of the GDPR principles, while incapacity to bear the costs is no excuse for non-compliance with the GDPR. At the same time, spending more on technology does not trigger per se the implementation of more effective solutions;
- the “nature, scope, context and purpose of processing“; and
- the risks on the rights of affected individuals.
3. Implement an end-to-end security system
Adequate security measures shall be put in order to ensure security during the whole lifecycle of products/services. This aspect requires not only the ability to remotely update devices but also to guarantee that when a product is dismissed all the data stored on that is deleted with no possibility for anyone to access it. The matter is particularly relevant in the light of the obligations applicable in case of a data breach under the GDPR.
The reason of such principle is the privacy by design does not apply only during the initial design of the product/service, but during its entire life, with reference to updates/upgrades and events that impact its functioning.
4. Ensure visibility and transparency
Full transparency shall be guaranteed as to the modalities of the processing of personal data through products/services. This aspect is due also to the higher level of detail of information that the privacy information notice to be provided to users shall contain. In particular, the term of storage of data shall be indicated therein, and organization and technical measures ensuring that it is complied with shall be put in place.
5. Privacy shall be set by default
Products/services shall be set by default in a manner ensuring the minimum level of sharing of personal data, leaving to the free decision of customers to decide whether a more significant amount of data shall be shared.
This obligation requires to comply with also the “data minimisation” principle under which no more data than necessary to achieve a purpose shall be processed and the obligation to pseudonymize data to guarantee their security and is one of the backbones of GDPR principles.
And such a matter is relevant, according to the EDPB, also with reference to the technical and organizational measures to be implemented that shall be appropriate to ensure that only personal data that are necessary for each specific purpose of processing are being processed.
The privacy by default principle impacts
- the “amount of personal data collected” which refers not only to the volume of personal data, but also to the types, categories, and level of detail of personal data;
- the “extent of their processing” with no extension to compatible purposes based on a mere reasonable expectation from data subjects;
- the “period of their storage” with any retention that should be objectively justifiable and demonstrable by the data controller in an accountable way. Once the retention cannot be justified, data shall be deleted or anonymized;
- “their accessibility” that shall be assessed based on the principle of necessity, with the possibility to extend the access to personal data in case of critical situations.
6. Keep a user-centric approach
Users shall remain in full control of their data which requires that no implied consent is allowed and that they can easily decide and change the amount of personal data they want to disclose, also easily exercising their right of access, of being forgotten and their GDPR data portability right.
The key data protection by design elements according to the EDPB
The European Data Protection Board provides a list of key data protection by design elements for each of the principles of the GDPR that can be summarized as follows:
- lawfulness: the controller shall identify a valid legal basis for the processing of personal data. Every data processing activity shall be linked to the appropriate legal basis of the data processing and the specified purpose of the data processing. This aspect is particularly relevant for data processing operations based on legitimate interest for which no balancing test, or any assessment, is often performed;
- fairness: this principle requires that personal data shall not be processed in a way that is detrimental, discriminatory, unexpected, or misleading to the data subject. And for instance, it is not possible to structure a data processing operation so that individuals are forced to share more data or have limitations in the exercise of their privacy rights;
- purpose limitation: the controller shall collect data for specified, explicit and legitimate purposes, and not further process data in a manner that is incompatible with the purposes for which they are collected;
- data minimization: processed personal data shall be adequate, relevant, and limited to what is relevant for the purposes of the data processing. Such a principle can also refer to the degree of identification, with identifiable data used only when necessary for the purposes of the processing;
- accuracy: data shall be accurate and kept up to date;
- storage limitation: data shall be deleted or anonymized when their retention is no longer justified by the purposes of the data processing;
- integrity and confidentiality: the security of personal data shall both prevent data breaches and enable the exercise of privacy rights.
You can review a presentation summarizing the privacy by design principles below