The European Data Protection Board (the “EDPB”) recently adopted Guidelines on Article 25 Data Protection by Design and Default (4/2019). In the Guidelines, the EDPB focuses on the core obligations of data protection by design and default in accordance with article 25 in the GDPR, such as effective implementation of data protection principles and the rights of data subjects. Controllers shall implement appropriate technical and organisational measures and necessary safeguards, designed to ensure data protection.
One of the main questions regarding the concept of data protection by design and default is the matter of “effectiveness”. The controller must not only be able to demonstrate the implemented measures, but also its effectiveness. To demonstrate compliance, the EDPB suggests key performance indicators to be set up by the controller. Such indicators may include metrics, which can either be quantitative (e.g. level of risk and reduction of complaint) or qualitative (e.g. grading scales and expert assessments). The elements mentioned in article 25 GDPR (state of the art, costs and scope of the processing etc.) shall be included in the assessment whether the measures are compliant with the GDPR or not.
Even though data protection by design and default is a well-known concept nowadays, it may appear complicated to apply in practice. The newly adopted Guidelines will serve as helpful assistance for businesses to fully comply with the requirements. The Guidelines are now open for public consultation until the 16th of January 2020.
The Guidelines can be found here.
If you would like to know more about data protection by design and default or need assistance with data protection legislation in general, please reach out to Alexander Berger, head of Data Privacy.