On 20 October 2020, the European Data Protection Board (EDPB) met for its 40th plenary session. During the session, the EDPB adopted final guidelines on Data Protection by Design and by Default (DPbDD) (available here) (the guidelines). See our blog post on the draft DPbDD guidelines, available here.
As a quick reminder, the obligation to adhere to DPbDD, which is set out in Art. 25 GDPR, states that controllers must show they have:
- Built in compliance measures, including appropriate technical and organisational measures, from the outset, which are continually monitored and updated during their processing of personal data (by design); and
- Given consideration to their processing activities so that only personal data which is necessary for a specific purpose, is processed (by default).
The guidelines showcase how to effectively implement the principles relating to processing of personal data set out in Art. 5 GDPR, setting out key design and default elements, alongside practical examples, and that controllers must be able to demonstrate effectiveness of the measures implemented.
We previously mentioned when we discussed the draft guidelines on DPbDD that while DPbDD primarily concerns controllers, processors and other parties that work with controllers are also advised to take note, as demonstrating compliance with such obligations themselves may be a means to achieving a competitive advantage. This was reiterated by the EDPB in its press release accompanying the guidelines.
The guidelines also provide recommendations on how controllers, processors and third parties can cooperate to achieve DPbDD. For example, they should engage their Data Protection Officers at an early stage, consider using certification and/or codes of conduct to demonstrate compliance, and consider implementing contractual requirements on the processor, to help controllers demonstrate their compliance with DPbDD and the accountability obligation more broadly.