ARTICLE
2 November 2020

EDPB Finalises Guidelines On Data Protection By Design And By Default

RS
Reed Smith (Worldwide)

Contributor

Reed Smith (Worldwide) logo
Reed Smith is a dynamic international law firm helping clients move their businesses forward. By delivering smart, creative legal services, we enrich clients' experiences with us and support achievement of their business goals. Our longstanding relationships and collaborative structure enable the speedy resolution of complex disputes, transactions, and regulatory matters.
Explore
On 20 October 2020, the European Data Protection Board (EDPB) met for its 40th plenary session. During the session,
European Union Privacy
Photo of Cynthia O'Donoghue
Photo of Sarah O'Brien
Authors
To print this article, all you need is to be registered or login on Mondaq.com.

On 20 October 2020, the European Data Protection Board (EDPB) met for its 40th plenary session. During the session, the EDPB adopted final guidelines on Data Protection by Design and by Default (DPbDD) (available here) (the guidelines). See our blog post on the draft DPbDD guidelines, available here.

As a quick reminder, the obligation to adhere to DPbDD, which is set out in Art. 25 GDPR, states that controllers must show they have:

  • Built in compliance measures, including appropriate technical and organisational measures, from the outset, which are continually monitored and updated during their processing of personal data (by design); and
  • Given consideration to their processing activities so that only personal data which is necessary for a specific purpose, is processed (by default).

The guidelines showcase how to effectively implement the principles relating to processing of personal data set out in Art. 5 GDPR, setting out key design and default elements, alongside practical examples, and that controllers must be able to demonstrate effectiveness of the measures implemented.

We previously mentioned when we discussed the draft guidelines on DPbDD that while DPbDD primarily concerns controllers, processors and other parties that work with controllers are also advised to take note, as demonstrating compliance with such obligations themselves may be a means to achieving a competitive advantage. This was reiterated by the EDPB in its press release accompanying the guidelines.

The guidelines also provide recommendations on how controllers, processors and third parties can cooperate to achieve DPbDD. For example, they should engage their Data Protection Officers at an early stage, consider using certification and/or codes of conduct to demonstrate compliance, and consider implementing contractual requirements on the processor, to help controllers demonstrate their compliance with DPbDD and the accountability obligation more broadly.

The content of this article is intended to provide a general guide to the subject matter. Specialist advice should be sought about your specific circumstances.

Authors
Photo of Cynthia O'Donoghue
Cynthia O'Donoghue
Photo of Sarah O'Brien
Sarah O'Brien
Your Author LinkedIn Connections
See More Popular Content From

Mondaq uses cookies on this website. By using our website you agree to our use of cookies as set out in our Privacy Policy.

Learn More