GDPR Privacy by Design

GDPR Privacy by Design

“Privacy by Design” and “Privacy by Default” have been frequently-discussed topics related to data protection. The first thoughts of “Privacy by Design” were expressed in the 1970s and were incorporated in the 1990s into the RL 95/46/EC data protection directive. According to recital 46 in this Directive, technical and organisational measures (TOM) must be taken already at the time of planning a processing system to protect data safety.

The term “Privacy by Design” means nothing more than “data protection through technology design.” Behind this is the thought that data protection in data processing procedures is best adhered to when it is already integrated in the technology when created. Nevertheless, there is still uncertainty about what “Privacy by Design” means, and how one can implement it. This is due, on the one hand, to incomplete implementation of the Directive in some Member States and, on the other hand, that the principle “Privacy by Design” which is in the General Data Protection Regulation, that the current approach in the data protection guidelines, which requires persons responsible already to include definitions of the means for processing TOMs at the time that they are defined in order to fulfil the basics and requirements of “Privacy by Design”. Legislation leaves completely open which exact protective measures are to be taken. As an example, one only need name pseudonymisation. No more detail is given in recital 78 of the regulation. At least in other parts of the law, encryption is named, as well as anonymisation of data as possible protective measures. Furthermore, user authentication and technical implementation of the right to object must be considered. In addition, when selecting precautions, one can use other standards, such as ISO standards. When selecting in individual cases, one must ensure that the state of the art as well as reasonable implementation costs are included.

In addition to the named criteria, the type, scope, circumstances and purpose of the processing must be considered. This must be contrasted with the various probability of occurrence and the severity of the risks connected to the processing. The text of the law leads one to conclude that often several protective measures must be used with one another to satisfy statutory requirements. In practice, this consideration is already performed in an early development phase when setting technology decisions. Recognised certification can serve as an indicator to authorities that the persons responsible have complied with the statutory requirements of “Privacy by Design”.

Suitable GDPR articles

Art. 25 GDPR Data protection by design and by default

Suitable Recitals

(78) Appropriate Technical and Organisational Measures

External Links

 

Authorities

Data Protection Authority UK ► Data protection by design and default

Data Protection Authority Germany ► Data Protection by Design – how to fulfil European demands and provide trustworthy services

Data Protection Authority Isle of Man ► Data protection by design and by default

European Commission ► What does data protection ‘by design’ and ‘by default’ mean?

European Data Protection Supervisor ►Preliminary Opinion on privacy by design

EU publications ► Handbook on European data protection law – Privacy by design, page 183

 

Expert contribution

A&L Goodbody ► The GDPR: A Guide for Businesses – Data Privacy by Design, by Default and Privacy Impact Assessments, Page 24

Oxford University Press ► Commentary on the EU General Data Protection Regulation (GDPR) – Data protection by design and by default, Page 99

 

For more information, see here:  https://gdpr-info.eu/issues/privacy-by-design/

 

These materials were obtained directly from the International Government public websites and public websites and are posted here for your review and reference only.  No Claim to Original International Government Works or public websites.  These may not be the most recent versions.  The International Governments and public websties may have more current information.  We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to.  Please check the linked sources directly.

These materials were obtained directly from the U.S. Federal Government public websites, U.S. State Government public websites, or the International Government public websites and are posted here for your review and reference only. No Claim to Original U.S. Government Works, Original U.S. State Government Works, or Original International Government Works. This information may not be the most recent version. The U.S. Government, U.S. States, or International Governments may have more current information. We make no guarantees or warranties about the accuracy or completeness of this information, or the information linked to. Please check the linked sources directly.