One month after the EU’s General Data Protection Regulation has become directly applicable in all EU Member States, I would like to take the opportunity to consider the importance of what I deem to be a fundamental pillar of privacy and data protection: Data Protection by Design/Default (“DPbD”).
What is data protection ‘by design’ and ‘by default’? These concepts are laid down in Article 25 and Recital 78 of the GDPR, and encourage companies and organisations to build organisational measures into the design of their processing operations as to safeguard privacy and provide data protection from the start (by design). This means that by default such entities ensure that personal data is always processed with the highest possible level of privacy protection, meaning that only necessary data are processed and such data is not stored for more than necessary and only specific necessary people have access to such data (by default).
Data Protection by Design/Default is indeed one of the most effective ways to fully achieve compliance with the fundamental data protection principles as they are established in Article 5 of the GDPR. However, it seems that at present DPbD has not yet been fully understood and adequately implemented. In this respect, I recommend reading (and possibly commenting on) the recent EDPS Preliminary Opinion 5/2018 on privacy by design (“Preliminary Opinion”), which offers interesting inputs on a correct approach to DPbD and suggests a number of possible methodologies and means that may help organisations comply with it.
In this respect, from both the privacy and IT security points of view, it is worthy to note the Preliminary Opinion explanation of the “Six protection goals for privacy engineering” which provide a framework to identify safeguards for IT systems processing personal data. In this respect, “besides the classical IT security triad of ‘confidentiality’, ‘integrity’ and ‘availability’, three additional goals follow: ‘unlinkability’, ‘transparency’ and ‘intervenability’. IT security in this context does not target risks for the organisation but rather risks for the rights of individuals. Any usual approach known in IT security risk management literature can be used if it is clear what the assets to protect are (the individuals).”