The Industry’s Only SaaS-Delivered Enterprise DLP

Our unique approach to DLP allows for quick deployment and on-demand scalability, while providing full data visibility and no-compromise protection.

No-Compromise Data Protection is:

  • Cloud-Delivered
  • Cross Platform
  • Flexible Controls

Digital Guardian's Blog

European Data Protection Board Data Urges Protection by Design and by Default

by Chris Brook on Tuesday December 3, 2019

Contact Us
Free Demo

A new set of guidelines from the European Data Protection Board helps inform data controllers of the safeguards that should be followed when designing data processing activities.

The European Data Protection Board (EDPB) - an independent European body that helps contribute to the application of data protection rules across the European Union, recently adopted guidelines around how the General Data Protection Regulation's (GDPR) should be interpreted.

The guidelines, published November 13, emphasize the need for Data Protection by Design and by Default, a.k.a. DPbDD.

“In an increasingly digital world, adherence to DPbDD requirements play a crucial  part  in  promoting privacy and data protection in society. It is therefore essential that controllers take this responsibility seriously and implement the GDPR obligations when designing processing operations,” Andrea Jelinek, the Chair of the EDPB, wrote in the guidance, Guidelines 4/2019 on Article 25, Data Protection by Design and by Default.

Under this concept, controllers are required to implement appropriate technical and organizational measures and necessary safeguards and deploy data protection principles in a way that they protect the rights and freedoms of data subjects but also so their effectiveness can be demonstrated.

Under the EDPB's guidelines, organizations of all sizes - both small location associations and multinational companies – should consider DPbDD whenever planning a new processing organization. The concept should feed into "all stages of design," including tenders, outsourcing, development, support, maintenance, testing, storage, deletion, and so on.

After initiated, controllers have a “continued obligation” to maintain DPbDD. As the EDPB notes, a number of elements can change over the course of processing – “the nature, scope, context and purpose of the processing, the risk of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.” That means the controller will need to re-evaluate their processing operations via regular reviews and assessments of the effectiveness of their chosen measures and safeguards.

When it comes to designing how data is processed, the EDPB said in its guidance that controllers need to keep tabs on technology and whether advances can allow for continued, effective implementation of data protection principles. The idea, dubbed “state of the art” by the EDPB essentially encourages controllers to apply the available and suitable technologies for data avoidance and minimization.

The guidance also includes further instructions around how to implement data protection principles outlined in Art. 5(1) of GDPR, information around certification with Article 42 (to demonstrate compliance with DPbDD) and how supervisory authorities enforce Article 25, as well.

Tags: Data Protection, GDPR

Recommended Resources

  • Understand technologies that enable compliance
  • Common pitfalls and challenges to be aware of
  • How to build a sustainable GDPR compliance program
  • The people, process, and technology impacts of GDPR
  • The top challenges to GDPR compliance
  • How to address them and improve your GDPR position

Chris Brook

Chris Brook is the editor of Data Insider. He is a technology journalist with a decade of experience writing about information security, hackers, and privacy. Chris has attended many infosec conferences and has interviewed hackers and security researchers. Prior to joining Digital Guardian he helped launch Threatpost, an independent news site which is a leading source of information about IT and business security for hundreds of thousands of professionals worldwide.