If you control the means and purpose of processing personal data, the General Data Protection Regulation (GDPR) requires you to implement appropriate "technical and organisational measures" that are both: designed to implement data protection principles and to integrate the necessary safeguards into the processing to meet the requirements of GDPR and protect the rights of data subjects; and which ensure that by default, you only process personal data which are necessary for each specific purpose. This is known as "data protection by design and by default" or "DPbDD". The committee of EU data protection regulators, the European Data Protection Board (EDPB) has now published its final guidance on meeting these requirements. Let us know if we can help with any aspects of data protection by design and by default, or the guidance itself. This will be particularly important in the context of Brexit and safeguarding any data transfers.
The EDPB's guidance explains the interpretation of the requirements and the legal obligations that are created (Chapter 2) and gives examples on how to apply data protection by design and by default in the context of specific data protection principles (Chapter 3).
It is possibile that compliance may be certified according to criteria determined by certification bodies or scheme owners and approved by the local member state regulator or by the EDPB (see Chapter 4), while enforcement procedures and corrective powers are explained in Chapter 5 of the guidelines.
There are additional recommendations in Chapter 6 of the guidance, including suggestions for data processors and technology/service providers. The EDPB recognises the challenges for SMEs and makes the following specific recommendations for smaller businesses:
- make early risk assessments;
- start with small processing – then scale its scope and sophistication later (though you should start in a way that is scaleable fairly readily);
- look for warranties or guarantees of data protection by design and by default from technology/service provider and data processors, such as certification and adherence to codes of conduct;
- use technology/service providers and data processors who have a good track record - ask about their complaints record and whether they have been fined or disciplined;
- check in with your local data protection regulator - read their guidance and any relevant guidance from the EDPB;
- Adhere to codes of conduct where available;
- Get professional help and advice.
Let us know if we can help with any aspects of data protection by design and by default, or the guidance itself.