EU: EDPB's draft guidelines on Privacy by Design and by Default
On 13 November 2019, the European Data Protection Board ('EDPB') published its draft Guidelines 4/2019 on Article 25: Data Protection by Design and by Default1 ('the Guidelines'). The Guidelines aim to advise on how to best implement the principles of Privacy by Design and by Default, as set out in Article 25 of the General Data Protection Regulation (Regulation (EU) 2016/679) ('GDPR') and what the implementation of Privacy by Design and by Default means in practice for organisations collecting and processing personal data. Odia Kagan, Partner and Chair of GDPR Compliance & International Privacy at Fox Rothschild LLP, discusses the content of the Guidelines and how they can best be implemented within organisations.
Who is obligated?
Privacy by Design and by Default is a requirement for all controllers, independent of their size, including small local associations and multinational companies alike. The complexity of implementing Privacy by Design and by Default will vary based on the individual processing operation.
Privacy by Design and by Default: What is it?
The principles of Privacy by Design and by Default are set forth in Article 25 of the GDPR, and consists of the core obligation to effectively implement data protection principles and data subjects' rights and freedoms by design and by default.
Therefore, it is required that controllers implement appropriate technical and organisational measures and necessary safeguards, designed to implement data protection principles in an effective manner and to protect the rights and freedoms of data subjects.
Controllers must have data protection designed into and as a default setting in the processing of personal data and be able to demonstrate the effectiveness of the implemented measures.
The measures must be fit to implement the data protection principles effectively by reducing the risks of infringing the rights and freedoms of data subjects.
Safeguards are a second tier after measures. They are necessary to ensure the effectiveness of the implementation of data protection principles throughout the lifecycle of the personal data being processed.
Article 25 of the GDPR does not oblige controllers to implement any prescribed technical and organisational measures or safeguards, as long as the chosen measures and safeguards are in fact appropriate at implementing data protection into the processing. Measures and safeguards should be designed to be robust and be able to be scaled up in accordance with any increase in risk of non-compliance with the principles.
When must you assess?
Controllers must implement measures and safeguards designed to effectively implement the data protection principles at the time of determining the means of processing. At the time of processing itself, the controller must regularly review the effectiveness of the chosen measures and safeguards.
What do you take into account when implementing?
- State of the art:
- controllers must have knowledge of, and stay up to date on, advances in technological and organisational measures, how technology can present data protection risks to the processing operation, and how to implement the measures and safeguards that secure effective implementation of the principles and rights of data subjects in face of the technological landscape; and
- where existing standards and certifications exist - controllers should take these into account;
- Cost of implementation:
- controllers shall plan for and expend the costs (in terms of money or economic advantage, but also resources in general, including time and human resources) necessary for the effective implementation of all of the principles; and
- incapacity to bear the costs is no excuse for non-compliance with the GDPR. At the same time, effective implementation of principles must not necessarily lead to higher costs;
- Nature, scope, context, and purpose of processing:
- nature: the inherent characteristics of the processing;
- scope: size and range of the processing;
- context: relates to the circumstances of the processing, which may influence the expectations of the data subject; and
- purpose: pertains to the aims of the processing; and
- Risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.
Privacy by Default
- Collect only what you need: Organisational measures supporting processing operations should be designed to process, at the outset, only the minimum amount of personal data necessary for the specific operations. This should be particularly considered when allocating data access to staff with different roles.
- Protect it: Information security shall always be a default for all systems, transfers, solutions, and options when processing personal data.
- Process only as needed: Processing operations performed on personal data should be limited to what is necessary.
- Retain only for as long as needed:
- any retention should be objectively justifiable and demonstrable by the data controller in an accountable way, and if personal data is not needed after its first processing, then it shall by default be deleted or anonymised; and
- anonymisation of personal data is an alternative to deletion, provided that all the relevant contextual elements are taken into account and the likelihood and severity of the risk, including the risk of re-identification, is regularly assessed.
- Limit access:
- you must limit who can have access to personal data based on an assessment of necessity, and also make sure that personal data is in fact accessible to those who need it when necessary, for example in critical situations;
- the controller is obligated not to make the personal data unduly accessible in the first place. This can be done using technical tools and protocols to limit search engines from indexing the data, such as 'robot.txt' files. These should be respected by the recipient controllers even though they aren't binding; and
- even in the event that personal data is made available publicly with the permission and understanding of a data subject, it does not mean that any other controller with access to the personal data may freely process it themselves, for their own purposes – they must have a separate legal basis.
What are the design and default elements for each data protection principle?
- Clarity: clear and plain language, concise and intelligible;
- semantics: clear meaning to the audience in question;
- accessibility: easily accessible for the data subject (e.g drop down menus and hyperlinks);
- contextual: at the relevant time and in the appropriate form:
- no more than one click away from accessing information; and
- use pop-ups and hover overs;
- relevance: relevant and applicable to the specific data subject;
- universal design: accessible to all, including the use of machine-readable languages to facilitate and automate readability and clarity;
- comprehensible: fair understanding of what can be expected with regards to the processing, particularly for children or other vulnerable groups; and
- multi-channel: different channels and media, beyond the textual.
- Relevance: use of the correct legal basis;
- differentiation: differentiate between the legal basis used for each processing;
- specified purpose: appropriate legal basis clearly connected to the specific purpose of processing;
- necessary: processing must be necessary for the purpose;
- autonomy: the data subject should be granted the highest degree of autonomy as possible with respect to control over personal data;
- consent withdrawal: data subject should easily know what they consented to and withdrawal should be as easy as giving consent;
- balancing of interests: where legitimate interests is the legal basis, carry out an objectively weighted balancing of interests; and
- legal basis: establish the legal basis before the processing takes place. If the legal basis ceases to apply, cease the processing.
- Autonomy: grant the data subjects the highest degree of autonomy possible with respect to control over their personal data. Do not make it hard to avoid data sharing or adjust privacy settings;
- interaction: data subjects must be able to communicate and exercise their rights with the controller;
- expectation: processing should correspond with data subjects' expectations;
- non-discrimination: do not discriminate against data subjects;
- non-exploitation: do not exploit the needs or vulnerabilities of data subjects;
- consumer choice: do not 'lock in' users;
- power balance: avoid or mitigate asymmetric power balances;
- respect rights and freedoms: respect the fundamental rights and freedoms of data subjects;
- ethical: see the processing's wider impact on individuals' rights and dignity;
- truthful: act as you declare to do and do not mislead data subjects;
- human intervention: incorporate qualified human intervention capable of recovering biases that machines may create; and
- fair algorithms: provide information about the processing of personal data based on algorithms that analyse or make predictions about data subjects, such as work performance, economic situation, health, personal preferences, reliability or behaviour, and location or movements.
- Predetermination: determine the legitimate purposes before designing the processing;
- specificity: specify the purpose of each processing;
- purpose orientation: the purpose of the processing should guide the design of the processing and set processing boundaries;
- necessity: the purpose of the processing determines what personal data is necessary for the processing;
- compatibility: any new purpose must be compatible with the original purpose for which the data was collected and guide relevant changes in design;
- limit further processing: do not connect datasets or perform any further processing for new incompatible purposes;
- review: regularly review whether the processing is necessary for the purposes for which the data was collected and test the design against purpose limitation; and
- technical limitations of reuse: use technical measures, including hashing and cryptography, to limit the possibility of repurposing personal data.
- Data avoidance: avoid processing personal data altogether when this is possible for the relevant purpose;
- limitation: limit the amount of personal data collected to what is necessary for the purpose;
- necessity: data is not necessary if it is not possible to fulfil the purpose by other means;
- relevance: be able to demonstrate the relevance of the data to the processing in question;
- aggregation: use aggregated data when possible;
- pseudonymisation: pseudonymise personal data as soon as it is no longer necessary to have directly identifiable personal data, and store identification keys separately:
- if names are not necessary, pseudonymisation keys should be used and frequently rotated; and
- if precise locations/addresses are not required - macro areas should be considered;
- anonymisation and deletion: where personal data is not, or no longer necessary for the purpose, anonymise or delete it;
- data flow: the data flow shall be made efficient enough to not create more copies, or entry points for data collection than necessary; and
- 'state of the art:' apply available and suitable technologies for data avoidance and minimisation.
- Data source: data sources should be reliable in terms of data accuracy;
- degree of accuracy: each personal data element shall be as accurate as necessary for the specified purposes;
- measurably accurate: reduce the number of false positives/negatives;
- verification: depending on the nature of the data, in relation to how often it may change, verify the correctness of personal data with the data subject before and at different stages of the processing;
- erasure/rectification: erase or rectify inaccurate data without delay;
- accumulated errors: mitigate the effect of an accumulated error in the processing chain;
- access: give data subject an overview and easy access to personal data in order to control accuracy and rectify as needed;
- continued accuracy: personal data should be accurate at all stages of the processing, tests of accuracy should be carried out at critical steps;
- up to date: personal data must be updated if necessary for the purpose; and
- data design: use of technological and organisational design features to decrease inaccuracy, e.g. drop-down lists with limited values, internal policies, and legal criteria.
- Deletion: have clear internal procedures for deletion;
- automation: the deletion of certain personal data should be automated;
- storage criteria: determine what data and length of storage is necessary for the purpose and must know what personal data is processed and why;
- enforcement of retention policies: enforce internal retention policies and conduct tests of whether the organisation practices its policies;
- effectiveness of anonymisation/deletion: make sure that it is not possible to re-identify anonymised data or recover deleted data, testing whether this is possible;
- disclose rationale: be able to justify why the period of storage is necessary for the purpose, and disclose the rationale behind the retention period;
- data flow: beware of and seek to limit 'temporary' storage of personal data; and
- backups/logs: determine which personal data and length of storage is necessary for back-ups and logs.
Integrity, confidentiality, and availability
- Information security management system ('ISMS'): have an operative means of managing policies and procedures for information security. For some controllers, this may be possible with the help of an ISMS;
- risk analysis: assess the risks against the security of personal data and counter identified risks;
- resilience: the processing should be robust enough to withstand changes, regulatory demands, incidents, and cyber attacks;
- access management: only authorised personnel shall have access to the data necessary for their processing tasks;
- secure transfers: transfers shall be secured against unauthorised access and changes;
- secure storage: data storage shall be secure from unauthorised access and changes;
- backups/logs: keep back-ups and logs to the extent necessary for information security, use audit trails and event monitoring as a routine security control;
- special protection: special categories of personal data should be protected with adequate measures and, when possible, be kept separated from the rest of the personal data;
- pseudonymisation: personal data and back-ups/logs should be pseudonymised as a security measure to minimise risks of potential data breaches, for example using hashing or encryption;
- security incident response management: have in place routines and procedures to detect, handle, report, and learn from data breaches;
- personal data breach handling: integrate management of notification (to the supervisory authority) and information (to data subjects) obligations in the event of a data breach into security incident management procedures; and
- maintenance and development: regularly review and test software to uncover vulnerabilities of the systems supporting the processing.
Odia Kagan Partner and Chair of GDPR Compliance & International Privacy
Fox Rothschild LLP, Philadelphia