Article 25 GDPR Data Protection by Design and by Default
Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default
SECTION 3 IMPLEMENTING DATA PROTECTION PRINCIPLES IN THE PROCESSING OF PERSONAL DATA USING DATA PROTECTION BY DESIGN AND BY DEFAULT
58. In all stages of design of the processing activities, including tenders, outsourcing, development, support, maintenance, testing, storage, deletion, etc., the controller must take into account and consider the various elements of DPbDD which will be illustrated by the examples in this chapter, set in the context of implementing the principles.
59. When presenting the examples of how to operationalize DPbDD we have made lists of key DPbDD elements for each of the principles. The examples, while highlighting the specific data protection principle in question, may overlap with other closely related principles as well.
Transparency
60. The controller must be clear and open with the data subject from the start about how they will collect, use and share personal data. Transparency is about enabling data subjects to understand, and if necessary, make use of their rights in Articles 15 to 22. The principle is embedded in Articles 12,13, 14 and 34. Measures and safeguards put in place to support the principle of transparency should also support the implementation of these Articles.
61. Key design and default elements may include:
-
Clarity – Information shall be inclear and plain language, concise and intelligible.
-
Semantics –Communication shall have a clear meaning to the audience in question.
-
Accessibility -Information shall be easily accessible for the data subject.
-
Contextual–Information shall be provided at the relevant time and in the appropriate form.
-
Relevance –Information shall be relevant and applicable to the specific data subject.
-
Universal design –Information shall be accessible to all, include use of machine readable languages to facilitate and automate readability and clarity.
-
Comprehensible –Data subjects shall have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups.
-
Multi-channel –Information should be provided in different channels and media, beyond the textual, to increase the probability for the information to effectively reach the data subject
Example
A controller is designing a privacy policy in order to comply with the requirements of transparency. The privacy policy cannot contain a lengthy bulk of information that is difficult for the average data subject to penetrate and understand, it must be written in clear and concise language and make it easy for the user of the website to understand how their personal data is processed. The controller therefore provides information in a multi-layered manner, where the most important points are highlighted. Drop-down menus and links to other pages are provided to further explain the concepts in the policy. The controller also makes sure that the information is provided in a multi-channel manner, providing video clips to explain the most important points of the information. The privacy policy cannot be difficult for data subjects to access. The privacy policy is thus made available and visible on all internal web-pages of the site in question, so that the data subject is always only one click away from accessing the information. The information provided is also designed in accordance with the best practices and standards of universal design to make it accessible to all. Moreover, necessary information must also be provided in the right context, at the appropriate time. This means, that generally a privacy policy on the website alone is not sufficient for the controller to meet the requirements of transparency. The controller therefore designs an information flow, presenting the data subject with relevant information within the appropriate contexts using e.g. informational snippets or pop-ups. For example, when asking the data subject to enter personal data, the controller informs the data subject of how the personal data will be processed and why that personal data is necessary for the processing.
Lawfulness
62. The controller shall identify a valid legal basis for the processing of personal data. Measures and safeguards put in place to support the principle of lawfulness should support the requirement to make sure that the whole processing lifecycle is in line with the relevant legal grounds of processing.
63. Key design and default elements may include:
-
Relevance – The correct legal basis shall be applied to the processing
-
Differentiation– The controller shall differentiate between the legal basis used for each processing activity
-
Specified purpose – The appropriate legal basis must be clearly connected to the specific purpose of processing.
-
Necessary – Processing must be necessary for the purpose to be lawful. It is an objective test which involves an objective assessment of realistic alternatives of achieving the purpose.
-
Autonomy – The data subject should be granted the highest degree of autonomy as possible with respect to control over personal data.
-
Consent withdrawal – The processing shall facilitate withdrawal of consent. Withdrawal shall be as easy as giving consent. If not, any given consent is not valid.
-
Balancing of interests – Where legitimate interests is the legal basis, the controller must carry out an objectively weighted balancing of interests. There shall be measures and safeguards to mitigate the negative impact on the data subjects, and the controller should disclose their assessment of the balancing of interests.
-
Predetermination – The legal basis shall be established before the processing takes place.
-
Cessation – If the legal basis ceases to apply, the processing shall cease accordingly.
-
Adjust – If there is a valid change of legal basis for the processing, the actual processing must be adjusted in accordance with the new legal basis.
-
Default configurations – Processing must be limited to what the legal basis strictly gives grounds for.
-
Allocation of responsibility – Whenever joint controllership is envisaged, the parties must apportion in a clear and transparent way their respective responsibilities vis-à-vis the data subject
Example
A bank plans to offer a service to improve efficiency in the management of loan applications. The idea behind the service is that the bank, by requesting permission from the customer, can be able to retrieve data from public authorities about the customer. This may be, for example, tax data from the tax administration.
Initially, this personal data is necessary in order to take steps at the request of the data subject prior to entering into a contract. However, this specific way of processing the personal data is not necessary for entering into a contract, because a loan may be granted without obtaining data directly from public authorities. The customer is able to enter into a contract by providing the information from the tax administration herself.
When implementing the principle of lawfulness, the controller realizes that they cannot use the “necessary for contract-” basis for the part of the processing that involves gathering personal data directly from the tax authorities. The fact that this specific processing presents a risk of the data subject becoming less involved in the processing of their data is also a relevant factor in assessing the lawfulness of the processing itself. The bank concludes that this part of the processing must rely on consent.
The bank therefore presents information about the processing on the online application platform in such a manner that makes it easy for data subjects to understand what processing is mandatory and what is optional. The processing options, by default, do not allow retrieval of data directly from other sources than the data subject herself, and the option for direct information retrieval is presented in a manner that does not deter the data subject from abstaining. Any consent given to collect data directly from other controllers is a temporary right of access to a specific set of information.
Any given consent is processed electronically in a documentable manner, and data subjects are presented with an easy way of controlling what they have consented to and to withdraw their consent.
The controller has assessed these DPbDD requirements beforehand and includes all of these criteria in their requirements specification for the tender to procure the platform. The controller is aware that if they do not include the DPbDD requirements in the tender, it may either be too late or a very costly process to implementdata protection afterwards.
Fairness
64. Fairness is an overarching principle which requires that personal data shall not be processed in a way that is detrimental, discriminatory, unexpected or misleading to the data subject. Measures and safeguards implementing the principle of fairness also support the rights and freedoms of data subjects, specifically the right to information (transparency), the right to intervene (access, erasure, data portability, rectify) and the right to limit the processing (right not to be subject to automated individual decision-making and non-discrimination of data subjects in such processes).
65. Key design and default elements may include:
-
Autonomy – Data subjects shall be granted the highest degree of autonomy possible with respect to control over their personal data.
-
Interaction – Data subjects must be able to communicate and exercise their rights with the controller.
-
Expectation – Processing should correspond with data subjects’ expectations.
-
Non-discrimination – The controller shall not discriminate against data subjects.
-
Non-exploitation – The controller shall not exploit the needs or vulnerabilities of data subjects
-
Consumer choice – The controller should not “lock in” their users. Whenever a service or a good is personalized or proprietary, it may create a lock-in to the service or good. If it is difficult for the data subject to change controllers due to this, whichmay not be fair.
-
Power balance – Asymmetric power balances shall be avoided or mitigated when possible. Controllers should not transfer the risks of the enterprise to the data subjects.
-
Respect rights and freedoms – The controller must respect the fundamental rights and freedoms of data subjects and implement appropriate measures and safeguards to not violate these rights and freedoms.
-
Ethical – The controller should see the processing’s wider impact on individuals’ rights and dignity.
-
Truthful – The controller must act as they declare to do, provide account for what they do and not mislead the data subjects.
-
Human intervention – The controller must incorporate qualified human intervention that is capable of recovering biases that machines may create in relation to the right to not be subject to automated individual decision making in Article 22.
-
Fair algorithms – Information shall be provided to data subjects about processing of personal data based on algorithms that analyse or make predictions about them, such as work performance, economic situation, health, personal preferences, reliability or behaviour, location or movements.
Example 1
A controller operates a search engine that processes mostly user-generated personal data. The controller benefits from having large amounts of personal data and being able to use that personal data for targeted advertisements. The controller therefore wishes to influence data subjects to allow extensive collection and use of their personal data.
When implementing the fairness principle, taking into accountthe nature, scope, context and purpose of the processing, the controller realizes that they cannot present the options in a way that nudges the data subject in the direction of allowing the controller to collect morepersonaldata than if the options were presented in an equal and neutral way. This means that they cannot present the processing options in such a manner that makes it difficult for data subjects to abstain from sharing theirdata, or make it difficult for the data subjects to adjust their privacy settings and limit the processing. The default options for the processing must be the least invasive, and the choice for further processing must be presented in a manner that does not deter the data subject from abstaining.
Example 2
Another controller processes personal data for the provision of a streaming service where users may choose between a regular subscription of standard quality and a premium subscription with higher quality. As part of the premium subscription, subscribers get prioritized customer service. With regard to the fairness principle, the prioritized customer service granted to premium subscribers cannot discriminate other data subjects’ rights according to the GDPR Article 12. This means that although the premium subscribers get prioritized service, such prioritization cannot result in a lack of appropriate measures to respond to request from regular subscribers without undue delay and in any event within one month of receipt of the requests.
Prioritized customers may pay to get better service, but all data subjects shall have equal and indiscriminate access to enforce their rights and freedoms according to the GDPR.
Purpose Limitation
66. The controller must collect data for specified, explicit, and legitimate purposes, and not further process the data in a manner that is incompatible with the purposes for which they were collected. The design of the processing should therefore be shaped by what is necessary to achieve the purposes. If any further processing is to take place, the controller must first make sure that this processing has purposes compatible with the original ones and design such processing accordingly. Whether a new purpose is compatible or not, shall be assessed according to the criteria in Article 6(4).
67. Key design and default elements may include:
-
Predetermination –The legitimate purposes must be determined before the design of the processing.
-
Specificity – The purposes must be specific to the processing and make it explicitly clear why personal data is being processed.
-
Purpose orientation– The purpose of processing should guide the design of the processing and set processing boundaries.
-
Necessity – The purpose determines what personal data is necessary for the processing.
-
Compatibility –Any new purpose must be compatible with the original purpose for which the data was collected and guide relevant changes in design.
-
Limit further processing – The controller should not connect data sets or perform any further processing for new incompatible purposes.
-
Review – The controller must regularly review whether the processing is necessary for the purposes for which the data was collected and test the design against purpose limitation.
-
Technical limitations of reuse – The controller should use technical measures, including hashing and cryptography, to limit the possibility of repurposing personal data.
Example
The controller processes personal data about its customers. The purpose of the processing is to fulfil a contract, i.e. to be able to deliver goods to the correct address and obtain payment. The personal data stored is the purchase history, name, address, e-mail address and telephone number. The controller is considering buying a Customer Relationship Management (CRM) product that gathers all the customer data such as sales, marketing and customer service in one place. The product gives the opportunity of storing all phone calls, activities, documents, emails and marketing campaigns to get a 360-degree view of the customer. Ultimately the CRM automatically analyses the customers’ purchasing power by using public information. The purpose of the analysis is to target the advertising better but is not a part of the original lawful purpose of the processing. To be in line with the principle of purpose limitation, the controller requires the provider of the product to map the different processing activities using personal data with the purposes relevant for the controller. Another requirement is that the product shall be able to flag which kind of processing activities using personal data that is not in line with the legitimate purposes of the controller.
After receiving the results of the mapping, the controller assesses whether the new marketing purpose and the targeted advertisement purpose are within the contractual purposes or if they need another legal ground for this processing. Alternatively the controller could choose to not make use of this functionality in the product.
Data Minimisation
68. Only personal data that is adequate, relevant and limited to what is necessary for the purpose shall be processed. As a result, the controller has to predetermine which features and parameters of processing systems and their supporting functions are permissible. Data minimisation substantiates and operationalises the principle of necessity. In the further processing, the controller should periodically consider whether processed personal data still is adequate, relevant and necessary, or if the data shall be deleted or anonymized.
69. Controllers must first of all determine whether they even need to process personal data for their relevant purposes. They should verify whether technology, processes or procedures exist that could make the need to process personal data obsolete. Such verification could take place, in a particular point of the processing activity or even throughout the processing lifecycle.This is also consistent with Article 11.
70. Minimising can also refer to the degree of identification. If the purpose of the processing does not require the final set of data to refer to an identified or identifiable individual (such as in statistics), but the initial processing does (e.g. before data aggregation), then the controller shall anonymize personal data as soon as identification is no longer needed. Or, if continued identification is needed for other processing activities, personal data should be pseudonymized to mitigate risks for the data subjects’ rights.
71. Key design and default elements may include:
-
Data avoidance – Avoid processing personal data altogether when this is possible for the relevant purpose.
-
Relevance – Personal data shall be relevant to the processing in question, and the controller shall be able to demonstrate this relevance.
-
Necessity – Each personal data element shall be necessary for the specified purposes and should only be processed if it is not possibleto fulfil the purpose by other means.
-
Limitation – Limit the amount of personal data collected to what is necessary for the purpose
-
Aggregation – Use aggregated data when possible.
-
Pseudonymization – Pseudonymize personal data as soon as it is no longer necessary to have directly identifiable personal data, and store identification keys separately.
-
Anonymization and deletion – Where personal data is not, or no longer necessary for the purpose, personal data shall be anonymized or deleted.
-
Data flow – The data flow shall be made efficient enough to not create more copies, or entry points for data collection than necessary.
-
“State of the art” – The controller should apply available and suitable technologies for data avoidance and minimisation.
Example 1
A bookshop wants to add to their revenue by selling their books online. The bookshop owner wants to set up a standardised form for the ordering process. To prevent that customers don’t fill out all the necessary information the bookshop owner makes all of the fields in the form a required field (if you don’t fill out all the fields the customer can’t place the order) using a standard contact form. The webshop owner initially uses a standard contact form, which asks the customer’s date of birth, phone number and home address. However, not all the fields in the form are strictly necessary for the purpose of buying and delivering the books. The data subject’s date of birth and phone number are not necessary for the purchase of the product. This means that these cannot be required fields in the web form to order the product. Moreover, there are situations where an address will not be necessary. For example, when ordering an eBook the customercan download the product and his or her address does not need to be processed by the webshop. The webshop owner therefore decides to make two web forms: one for ordering books, with a field for the customer’s address and one web form for ordering eBooks without a field forthe customer’s address.
Example 2
A public transportation company wishes to gather statistical information based on travellers’ routes. This is useful for the purposes of making proper choices on changes in public transport schedules and proper routings of the trains. The passengers must pass their ticket through a reader every time they enter or exit a means of transport. Having carried out a risk assessment related to the rights and freedoms of passengers’ regarding the collection of passengers’ travel routes, the controller establishes that it is possible to identify the passengers based on the ticket identifier. Therefore, since it is not necessary for the purpose of optimizing the public transport schedules and routings of the trains, the controller does not store the ticket identifier. Once the trip is over, the controller only stores the individual travel routes so as to not be able to identify trips connected to a single ticket, but only retains information about separate travel routes.
In cases where there can be a risk of identifying a person solely by their travel route (this might be the case in remote areas) the controller implements measures to aggregate the travel route, such as cutting the beginning and the end of the route.
Example 3
A courier aims at assessing the effectiveness of its deliveries in terms of delivery times, workload scheduling and fuel consumption. In order to reach this goal, the courier has to process a number of personal data relating to both employees (drivers) and customers (addresses, items to be delivered, etc.). This processing operation entails risks of both monitoring employees, which requires specific legal safeguards, and tracking customers’ habits through the knowledge of the delivered items over time. These risks can be significantly reduced with appropriate pseudonymization of employees and customers. In particular if pseudonymization keys are frequently rotated and macro areas are considered instead of detailed addresses, an effective data minimization is pursued, and the controller can solely focus on the delivery process and on the purpose of resource optimization, without crossing the threshold of monitoring individuals’ (customers’ or employees’) behaviours.
Accuracy
72. Personal data shall be accurate and kept up to date, and every reasonable step must be taken to ensure that personal data that isinaccurate, having regard to the purposes for which they are processed, are erased or rectified without delay.
73. The requirements must be seen in relation to the risks and consequences of the concrete use of data. Inaccurate personal data could be a risk to the data subjects’ rights and freedoms, for example when leading to a faulty diagnosis or wrongful treatment of a health protocol, or an incorrect image of a person can lead to decisions being made on the wrong basis either manually, using automated decision-making, or through artificial intelligence.
74. Key design and default elements may include:
-
Data source – Data sources should be reliable in terms of data accuracy.
-
Degree of accuracy – Each personal data element shall be as accurate as necessary for the specified purposes.
-
Measurably accurate – Reduce the number of false positives/negatives.
-
Verification – Depending on the nature of the data, in relation to how often it may change, the controller should verify the correctness of personal data with the data subject before and at different stages of the processing.
-
Erasure/rectification – The controller must erase or rectify inaccurate data without delay.
-
Accumulated errors – Controllers must mitigate the effect of an accumulated error in the processing chain.
-
Access – Data subjects should be given an overview and easy access to personal data in order to control accuracy and rectify as needed.
-
Continued accuracy – Personal data should be accurate at all stages of the processing, tests of accuracy should be carried out at critical steps.
-
Up to date – Personal data shall be updated if necessary for the purpose.
-
Data design – Use of technological and organisational design features to decrease inaccuracy, e.g. drop down lists with limited values, internal policies, and legal criteria.
Example 1
A bank wishes to use artificial intelligence (AI) to profile customers applying for bank loans as a basis for their decision making. When determining how their AI solutions should be developed, they are determining the means of processing and must consider data protection by design when choosing an AI from a vendor and when deciding on how to train the AI.
When determining how to train the AI, the controller must have accurate data to achieve precise results. Therefore, the controller must ensure that the data used to train the AI is accurate.
Granted they have the legal basis to train the AI using personal data from a large pool of their existing customers, the controller chooses a pool of customers that is representative of the population to also avoid bias.
Customer data is gathered from their own systems, gathering data about the existing loan customers’ payment history, bank transactions, credit card debt, they conduct new credit checks, and they gather data from public registries that they have legal access to use.
To ensure that the data used for AI training is as accurate as possible, the controller only collects data from data sources with correct and up-to date information.
Finally, the bank tests whether the AI is reliable and provides non-discriminatory results. When the AI is fully trained and operative, the bank uses the results as a part of the loan assessments, and willnever rely solely on the AI to decide whether to grant loans.
The bank will alsoreview the reliability of the results from the AI at regular intervals.
Example 2
The controller is a health institution looking to find methods to ensure the integrity and accuracy of personal data in their client registers.
In situations where two persons arrive at the institution at the same time and receive the same treatment, there is a risk of mistaking them if the only parameter to separate them is by name. To ensure accuracy, the controller needs a unique identifier for each person, and therefore more information than just the name of the client.
The institution uses several systems containing personal information of clients, and need to ensure that the information related to the client is correct, accurate and consistent in all the systems at any point in time. The institution has identified several risks that may arise if information is changed in one system but not another.
The controller decides to mitigate the risk by using a hashing technique that can be used to ensure integrity of data in the treatment journal. Immutable hash signatures are created for treatment journal records and the employee associated with them so that any changes can be recognized, correlated and traced if required.
Storage limitation
75. The controller mustensure that personal data is kept in a form which permits identification of data subjects for no longer than is necessary for the purposes for which the personal data is processed. It is vital that the controller knows exactly what personal data the company processes and why. The purpose of the processing shall be the deciding criteria in how long personal data shall be stored.
76. Measures and safeguards that implement the principle of storage limitation shall complement the rights and freedoms of the data subjects, specifically, the right to erasure, the right to object and profiling.
77. Key design and default elements may include:
-
Deletion – The controller must have clear internal procedures for deletion
-
Automation – Deletion of certain personal data should be automated
-
Storage criteria – The controller must determine what data and length of storage is necessary forthe purpose.
-
Enforcement of retention policies – The controller must enforce internal retention policies and conduct tests of whether the organization practices its policies.
-
Effectiveness of anonymization/deletion – The controller shall make sure that it is not possible to re-identify anonymized data or recover deleted data, and should test whether this is possible
-
Disclose rationale –The controller must be able to justify why the period of storage is necessary for the purpose, and disclose the rationale behind the retention period
-
Data flow – Controllers must beware of and seek to limit “temporary” storage of personal data
-
Backups/logs – Controllers must determine which personal data and length of storage is necessary for back-ups and logs
Example
The controller collects personal data where the purpose of the processing is to administer a membership with the data subject, the personal data shall be deleted when the membership is terminated. The controller makes an internal procedure for data retention and deletion. According to this, employees must manually delete personal data after the retention period ends. The employee follows the procedure to regularly delete and correct data from any devices, from backups, logs, e-mails and other relevant storage media.To make deletion more effective, the controller instead implements an automatic system to delete data automatically and more regularly. The system is configured to follow the given procedure for data deletion which then occurs at a predefined regular interval to remove personal data from all of the company’s storage media. The controller reviews and tests the retention policy regularly.
Integrity and confidentiality
78. The principle of security includes the well-known information security properties – confidentiality, integrity and availability – which strengthen data processing resilience. The security of personal data shall both prevent data breach incidents as well as facilitate the proper execution of data processing tasks, independent of individuals, to reinforce principles and allow individuals to exercise their rights in a seamless manner.
79. Recital 78 states that one of the DPbDD measures could consist of enabling the controller to “create and improve security features”. Along with other DPbDD measures, Recital 78 suggests a responsibility on the controllers to continually assess whether it is using the appropriate means of processing at all times and to assess whether the chosen measures actually counter the existing vulnerabilities. Furthermore, it should be understood that controllers must conduct regular reviews of the information security measures that surround and protect the personal data, and the procedure for handling data breaches.
80. Key design and default elements may include:
-
Information security management system (ISMS) – Have an operative means of managing policies and procedures for information security. For some controllers, this may be possible with the help of an ISMS.
-
Risk analysis – Assess the risks against the security of personal data and counter identified risks
-
Resilience – The processing should be robust enough to withstand changes, regulatory demands, incidents and cyber attacks
-
Access management – Only authorized personnel shall have access to the data necessary for their processing tasks
-
Secure transfers – Transfers shall be secured against unauthorized access and changes
-
Secure storage – Data storage shall be secure from unauthorized access and changes
-
Backups/logs – Keep back-ups and logs to the extent necessary for information security, use audit trails and event monitoring as a routine security control
-
Special protection – Special categories of personal data should be protected with adequate measures and, when possible, be kept separated from the rest of the personal data
-
Pseudonymization – Personal data and back-ups/logs should be pseudonymized as a security measure to minimize risks of potential data breaches, for example using hashing or encryption
-
Security incident response management – Have in place routines and procedures to detect, handle, report and learn from data breaches
-
Personal data breach handling – Integrate management of notification (to the supervisory authority) and information (to data subjects) obligations in the event of a data breach into security incident management procedures
-
Maintenance and development – Regular review and test software to uncover vulnerabilities of the systems supporting the processing