Implementing data protection by design has been a requirement of the General Data Protection Regulation since the law's inception. Often, it’s easier said than done.

Codified into Art. 25 of GDPR, the concept communicates requirements for data privacy by design and data privacy by default. It revolves around the idea that principles like data minimization, which dictates what kind of personal data is stored and for how long, be kept top of mind when a controller processes data.

A new report, released last week, is geared towards supporting engineers and organizations with the technical aspects of data protection by design and default.

The European Union Agency for Cybersecurity (ENISA) - the EU's agency in charge of overseeing cybersecurity - released the report to celebrate Data Protection Day on Friday.

Following the report's recommendations should help organizations trying to comply with the GDPR make some strides. It emphasizes the importance of data protection impact assessments (DPIAs) - another requirement of the GDPR - and privacy enhancing technologies, as well as anonymization, data masking, privacy preserving computations, storage, transparency and user control tools.

The report breaks down some of the hurdles organizations may face, like how to design a privacy policy to inform users about data protection issues, how to let data subjects exercise their right of access to data controllers, and issues like the reuse of data, data interference and re-identification, and automation.

While ENISA provides functional guidance to address these challenges to meet GDPR compliance, it acknowledges doing so can still sometimes be like to trying to hit a moving target.

Ultimately the report encourages engineers to take a multidisciplinary course, admitting that few things about implementing data protection principles can be straight forward. There are too many variables: risk, why you're processing, the cost, the scope of personal data, and so on.

“Processing operations must be rethought, sometimes radically (similar to how radical the threats are), possibly with the definition of new actors and responsibilities, and with a prominent role for technology as an element of guarantee,” the report reads, “Safeguards must be integrated into the processing with technical and organizational measures. From the technical side, the challenge is to translate these principles into tangible requirements and specifications by requirements by selecting, implementing and configuring appropriate technical and organizational measures and techniques.”

Organizations looking to learn more about data protection engineering and meeting some of the objectives outlined in the report can join a working group ENISA has set up to learn about emerging technologies that could help companies meet best practices.