What does data protection by design actually mean?

In October, the European Data Protection Board (EDPB) adopted a final version of the Guidelines on Data Protection by Design & Default - essentially an updating of the privacy by design principles enshrined in the GDPR in 2018.

The basic idea is that data protection should be baked in by default to any new systems handling personal data, rather than bolted on at a later date. This means, for example, building in pseudonymisation and encryption, and limiting the availability of personal data as tightly as possible.

Data controllers are required to implement 'appropriate' technical and organisational measures to protect the rights and freedoms of data subjects, along with 'necessary safeguards'. They also need to be able to demonstrate that the measures they've put in place are effective, and to continually monitor and update them. 

A long-standing concept

The basic concept of privacy by design dates back to the mid-1990s, and was first floated by Dr Ann Cavoukian, the former information and privacy commissioner for Ontario. 

It was recognised as an essential component of fundamental privacy protection by regulators at the International Conference of Data Protection Authorities and Privacy Commissioners in 2010, and now forms part of many well-known privacy frameworks such as OWASP and NIST as well as, of course, the GDPR. 

But it's all very well having principles; it's how they're implemented and enforced that matters. And as Nigel Thorpe, technical director at data security specialist SecureAge Technology, points out: 

"Data protection by design and default is a hugely important principle within GDPR. However, there is no guidance on exactly what this means in terms of standards, techniques and protocols that should be adopted. This has led to patchy implementation of the principle."

The first fine for breaching the rules came in June last year, when Unicredit Bank was fined €130,000 for a 'failure to implement appropriate technical and organisational measures' that led to the disclosure of customers' personal data.

A few months later, there was a rather more significant fine - €14.5 million - for German real estate company Deutsche Wohnen. The company was found to have stored the personal data of tenants without a legal basis, and without implementing privacy by design; it seems the company's systems had been set up in such a way that it was not possible to delete obsolete personal data. 

Should the principles be more specific? 

In practice, informal checklists are available from, for example, the Norwegian data protection authority and the European Union Agency for Cybersecurity (ENISA). However, the EDPB has deliberately stopped short of doing the same.

And without an official checklist, it's hard for organisations to be completely sure that they're complying with data protection by design and default rules. However, says Matthew Gardiner, principal security strategist at Mimecast, it would be impractical to mandate specific technical measures.

"Ultimately, laws and regulations have a diminishing impact when they run into the reality on the ground," he says. 

"Governments can be very helpful on the fronts of law enforcement, international cooperation, and education as well as applying excellent security and privacy practices in their own operations, but legislating good security and privacy practices for every organisation in their jurisdiction at a detailed level would be rife with unintended consequences."