Almost four years since the EU General Data Protection Regulation 679/2016 (GDPR)’s adoption and two years since it has started to apply, GDPR still raises many questions on how best to implement its requirements.
This is surely the case to a set of new concepts introduced by GDPR: data protection by design and data protection by default.
Article 25 of GDPR introduces what seem to be straightforward requirements in this field, namely to implement appropriate technical and organizational measures that are meant to:
- For data protection by design:
- implement the data protection principles set out in Article 5 of GDPR (lawfulness, fairness and transparency, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality) and
- integrate the necessary safeguards into the processing in order to meet GDPR requirements and protect the rights of data subjects;
- For privacy by default
- process only personal data that are necessary for each specific purpose of the processing.
These concepts set out in Article 25 of GDPR in a somewhat layered wording, drive one point squarely home: data protection is not an abstract notion. Hence, in their data protection compliance effort, companies should not dissociate such effort from the actual context in which they use personal data.
The focus of the requirements seems to be on the “means” used to process personal data, but in reality, the means are only half the story. The real aim of these provisions is to ensure that, when designing and implementing specific means (e.g., applications, services, products) for processing personal data, controllers do not lose sight of the general data protection principles set out in Article 5 of GDPR. Preamble 78 of GDPR puts express emphasis on this when it provides that: “[w]hen developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfill their data protection obligations.”
While deconstructing the concepts of data protection by design and data protection by default concepts was for many a challenging, albeit theoretical, fit in the beginning, in Romania, it quickly became a more stringent and practical need once the Romanian DPA – the National Authority for the Supervision of Personal Data Processing – announced its first GDPR fine applied in June 2019. In doing so, the Romanian DPA became one of the first authorities to enforce the data protection by design & data protection by default requirements set in Art. 25 of GDPR. The issue at hand was a financial institution’s failure in properly implementing data minimization when providing access to transaction documents via its online solution, which leads to the disclosure of potentially sensitive information (e.g., the payer’s personal numeric code and address) in the context of online transactions.
Since then, data protection by design and data protection by default remains a focus for the Romanian DPA, its representatives bringing up such concepts during discussions on various GDPR topics, such as data security, data retention and deletion and user access management approaches.
The need to balance technology-driven solutions with data protection compliance is even more evident these days when both states and private entities race to find solutions to manage the impact of the COVID-19 pandemic.
Nobody questions that the current situation needs urgent solutions and technology helps shortening the time needed to identify and implement such solutions. Nevertheless, moving fast should not mean cutting corners, especially when you deal with individuals’ personal data. Recent examples emphasize this more than ever.
At the end of April 2020, a Dutch Government COVID-19 Alert app experienced a personal data breach almost at the same time of its launch. The problem: the publishing of its source code online for government shortlisting lead to the unauthorized disclosure of approx. 200 names, e-mail addresses and hashed user passwords from another project.
By comparison, on 26 April 2020, the French DPA – the CNIL – issued its opinion on another tracking app (StopCovid) relying on Bluetooth technology for contact tracing. In issuing a positive endorsement for the use the StopCovid app, the CNIL emphasized that its conclusions are based, amongst others, on the fact that the app complied with the data protection by design requirement as it uses pseudonyms and will not allow the recreation of lists of infected persons.
Moving forward and aiming to achieve both an efficient response in limiting the pandemic and protecting fundamental human rights and freedoms, one can now also rely on the specific clarifications in this respect set out in the recently adopted EDPB guidance on the use of location data and contact tracing tools in the context of the COVID-19 outbreak.
Companies should be aware of the focus of the Romanian DPA on data protection by design and data protection by default, as this will allow them to better calibrate their data protection compliance effort.
But what needs to be done in practice? The EDPB November 2019 guidance on data protection by design and by default may be a useful starting point in figuring that out.
Concisely, controllers may consider the following actions:
- before developing a project which implies the use of persona data:
- include the organization’s DPO or privacy professional in the project development phase;
- determine the nature, scope, context and purposes of the processing, as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing – normally via data protection impact or similar assessments;
- data protection by design is not an absolute requirement, as the GDPR requirements may be implemented differently, under this concept, by taking into account the elements above. The challenge is to connect the dots, namely how the processing details and related requirements may be met by the project, in the designed form to meet the business needs;
- plan the budget so as to manage the costs to be able to effectively implement all GDPR principles;
- data protection by design may be scaled considering the cost of implementation, hence covering this element from the beginning will help companies explain, if needed, why a specific solution (with related costs) was considered or not;
- take into account the existing standards and certifications (if the case) in the design and implementation of data protection measures;
- all projects need to surpass the “state of the art” threshold. So, when a company considers a technical solution for the project, it needs to know what is already in use;
- if software solutions or apps are acquired from third party vendors, ensure that the procurement assessment covers questions on how the solution/app meets the data protection by design and what features are embedded for data protection by default
- a mere confirmation from the designer that the data protection by design and data protection by default requirements are met is not sufficient, companies acquiring the solution/app should require (and document!) what solution/app features they consider relevant for meeting the data protection by design & by default requirements;
- when using third party software or off-the-shelf software, switch off the functions for which the company does not have a justification in processing the personal data or which are not compatible with the intended purpose;
- train the personnel on how to handle customer data;
- implement a malware detection system on a computer network or storage system in addition to training employees about phishing an basic “cyber hygiene”;
- during the execution of the project, ensure the implementation of the key design and default elements, as defined by the EDPB (for more details, see the detailed checklist based on the EDPB guidance on privacy by design and by default);
- after the project is deployed:
- document the key performance indicators that include metrics, both quantitative (e.g., level of risk, reduction of complaints) and qualitative metrics (e.g., evaluations of performance, use of grading scales), to demonstrate the effectiveness of the implemented measures;
- keep up to date with the technological progress relevant for the continuously evolution of the “state of art”;
- re-evaluate the processing operations (nature, scope and context of processing) through regular reviews and assessments of the effectiveness of the chosen measures and safeguards;
- regularly assess the likelihood and severity of the risks, including the risk of re-identification where using anonymization as an alternative to deletion of the unnecessary data.
Meeting all above requirements may seem a daunting task. However, if companies will ensure that data protection is integrated as a key element from the project development phase, rather than an ad-on to be addressed close to the launch of new solutions, they will learn that data protection compliance is not an impossible desiderate and that such compliance may actually improve the consumer-friendly features of their products and services.
And remember…Data protection compliance is a constant requirement, how you go about achieving it makes the difference.