On 13 November 2019, the European Data Protection Board (“EDPB”) adopted its draft Guidelines 4/2019 on Article 25 – Data Protection by Design and by Default (“DPbDD”) (the “Guidelines”). The Guidelines are currently open for pubic consultation (20 November 2019 – 16 January 2020) before finalization.
Why are the Guidelines relevant and what value do they add for the relevant players?
Firstly, the Guidelines bring useful general guidance on main concepts and their interplay. For example, the concept of the “efficiency” of the implementation of the data protection principles is put at the core of the DPbDD, meaning that each implemented technical and organizational measure and safeguard must have an actual effect and that controllers are expected to be able to demonstrate (for example, by relevant key performance indicators, such as the reduction of complaints from the data subjects or the reduction of the response time to data subjects’ requests).
Secondly, the Guidelines offer practical guidance on how to effectively implement the DP principles. In this regard, they (i) list examples of key design and default elements, and (ii) discuss practical cases for illustration.
Thirdly, the Guidelines stress the importance of certification. This means that when a controller has been awarded a certification, the supervisory authorities will take this into account in their global assessment of compliance (for example, for IT products and IT-based services, there is a European Privacy Seal provided by EuroPriSe Certification Authority).
Lastly, the Guidelines provide recommendations on how controllers, processors and technology providers can cooperate to achieve DPbDD and, also, on how DPbDD can be used as a competitive advantage by the technology providers.
Note, while the Guidelines focus on controllers’ implementation of the DPbDD, Recital 78 GDPR recognizes processors and technology providers as key enablers for DPbDD. Therefore, EDPB provides recommendations on the technology providers in particular to consider the following:
– support controllers in complying with DPbDD;
– be able to demonstrate accountability on how they have complied with DPbDD (e.g. by using KPYs);
– play an active role in ensuring that criteria for the “state of the art” are met;
– keep in mind that costs of implementation must be taken into account in the design process; and, very importantly
– take the opportunity to use DPbDD as a competitive advantage in the market.