Guidelines 04/2019 – Article 25 GDPR Data Protection by Design and by Default

Paragraph 2.1.4   Time aspect 

At the time of the determination of the means for processing

32. Data protection by design must be implemented “at the time of determination of the means for processing”.

33. The “means of processing” ranges from th abstract to the concrete detailed design elements of the processing, such as the architecture, procedures, protocols, layout and appearance.

34. The “time of determination” of such means is when the controller is in the process of determining which means to incorporate into the processing. It’s in the process of making such decisions that the controller must assess the appropriate measures and safeguards to effectively implement the principles and rights of data subjects into the processing, and take into account elements such as the “state of the art”, cost of implementation, nature, scope, context and purpose, and risks.

35. Controllers must be able to demonstrate that such assessments have been made for all of the means that are part of the processing.

36. Early consideration of DPbDD is crucial for a successful implementation of the principles. From a cost-benefit perspective, it would be in controllers’ interest to take this into account sooner rather than later, as it could be challenging and costly to make changes to plans that have already been made and processing operations that have already been designed. 

At the time of the processing itself

37. Once the processing has started the controller has a continued obligation to maintain DPbDD, i.e. continued effective implementation of the rights and principles. The nature, scope and context of processing operations may change over the course of processing, which means that the controller must re-evaluate their processing operations through regular reviews and assessments of the effectiveness of their chosen measures and safeguards.

38. This obligation also extends to any processing carried out by data processors. Processors’ operations should be regularly reviewed and assessed to ensure that they enable continual compliance with the DPbDD principles and support the data controller’s obligations in this respect.