Article 25 of the GDPR
Built-in data protection by design and data protection by default
Companies must implement built-in data protection by design and data protection by default according to the rules of Article 25 of the GDPR. The rules surrounding this are particularly important for mobile application developers and system service providers to know, as they need to implement built in data protection by design and data protection by default in the developed digital service.
Do all companies, regardless of size, have to implement built-in data protection by design and data protection by default?
Yes, it does not matter if it is a startup or a multi-billion dollar company. All companies subject to the GDPR shall implement data protection by design and by default, as well as appropriate technical and organisational measures. However, the rules of GDPR are generally stricter, the larger the company is. In addition, the size of the company plays a role in the imposition of administrative fines on the company for its breaches of the GDPR.
Data protection by default
Companies that are subject to the GDPR need to adapt their product, system, or service to the rules of the regulation. In short, data protection by default means that the company must ensure that only necessary personal data is processed, for a limited period of time, with limited access and not shared publicly without the consent and active choices of the data subject.
In other words, the company should implement data protection-friendly settings that are enabled from the start, without the individual user having to do anything. Personal data must therefore be processed with the highest possible level of protection from the outset.
What is the purpose of data protection by default?
The purpose of the data protection by default requirement is for the controller to ensure that its systems and services have a high and automatic data protection by default. The fact that the settings have a high level of data protection by default means that the individual user should not actively have to do anything in order for the settings with the highest level of data protection to be enabled from the start.
Examples of how companies can work with data protection as a standard in practice
In order to do the best possible work with data protection, it is important that the company first analyzes what personal data is necessary to process, to achieve the purpose. The amount of personal data collected must be minimised to what is strictly necessary for that purpose.
In addition, the personal data shall by default not be accessible to any unauthorised person. Thus, only persons with a need for access to them should be able to process the personal data. The company should therefore ensure at an early stage, at the development phase, that proper authorisation management and associated procedures are in place.
Furthermore, the personal data shall not be stored for longer than necessary. Therefore, it is important that the company makes sure that the settings regarding storage, backups, etc. are correctly set up and that routines are in place regarding the handling of these, including routines for erasure and anonymization of personal data.
It is important to not only think about all the steps from the perspective of the company. It is important that the company tries to start from the user's perspective instead. To get better control, it can be good to use test pilots and receive feedback from users.
Before the processing of personal data begins, the company shall take the risks of the processing into account. A written risk analysis is a good way to do this, as it is also possible to present the documentation in the event of supervision. In the risk analysis, the company shall justify the processing. Even if the supervisory authority comes to a different decision after its supervision of the company's processing, it may be helpful to have carried out a written risk analysis before the processing began.
It is good to document the company's work on GDPR, including the measures taken to ensure that the company meets the requirements of data protection by default. In addition, it may be useful to include them in, for example, internal guidelines for employees.
In order for employees to be able to easily work in accordance with GDPR in practice, it is good to provide them with written guidelines, routines and instructions. For example, with information on how to respond when a data subject requests to have one of their rights fulfilled.
Data protection by design
The company shall process personal data in accordance with the data protection principles stated in Article 5 of the GDPR, and implement built-in data protection by design and data protection by default. According to the requirement of data protection by design, the company must implement appropriate technical and organisational security measures already in the design of its processes, systems and procedures. The purpose is to ensure that the data protection principles are complied with and that the rights of the data subject are protected. In short, the company must take the data protection rules into account at an early stage, already when procedures are being developed and the IT system is under development.
The more important the personal data, the higher the requirements
The more important personal data a company processes, the higher the security requirements. Examples of important personal data are the four categories of privacy-sensitive personal data, of which sensitive personal data is one. Personal data must be protected by implementing appropriate technical and organisational security measures.
Examples of technical security measures for data protection by design
Antivirus protection
To prevent viruses from deleting, modifying or accessing data, it is a good idea to implement antivirus protection on the devices.
Two-factor authentication at login
It is good to activate two-factor authentication when logging in to different systems that contain personal data, especially if it is extra worthy of protection. For example, a code is sent to the user’s mobile phone after the user has entered its password, in order to verify the user as authorised to log in to the system.
Backup files:
If personal data is accidentally changed or lost, it constitutes a personal data breach. Therefore, it is good to have backup files, for example on a cloud service, to be able to recover the data if necessary.
Examples of organisational security measures for data protection by design
Education
It is the employees of the company who process personal data in their work. For example, a customer service employee who receives emails from customers who submit complaints. Therefore, it is good to provide appropriate training within GDPR to the staff members. Please note that it does not have to be necessary for all employees to know all the rules of the GDPR, but it is good if they know what is relevant to their specific work tasks.
Written instructions
In order to facilitate the work of the employees, make the work more efficient and prevent incorrect handling of personal data, it is good to draw up written internal instructions. For example, instructions with information on how an employee should act when a data subject wants their rights fulfilled.
Examples of how companies can think when working with data protection by design
A company subject to the GDPR shall implement built-in data protection by design and data protection by default. In order to comply with these requirements under Article 25 of the GDPR, the company may take the following actions.
It is a good idea to carry out a risk analysis in which the company identifies the consequences that breaches of data protection principles may cause the data subjects. The more serious the consequences, the stricter the requirements for the appropriate security measures. In some cases, the risk analysis may also result in that it is prohibited to carry out the intended processing.
The goal and outcome of the processing should preferably be the same, at least as close as possible. Therefore, it is important to analyse the effect of the processing and set it against the goal of the measure that is set up before starting the processing.
The GDPR requires companies to be able to demonstrate that they comply with the GDPR in practice. This means, among other things, that companies subject to the regulation should have the necessary GDPR-related contracts and documents in writing. For example, by documenting various analyses that should include information about what technical and organisational security measures the company takes.
It is good to continuously test and evaluate the security measures that the company implements. Thereafter, the company can, if necessary, take measures to improve the work with data protection by design and by default.
Technology is constantly evolving and it is therefore good to keep an eye on it. For example, what new technologies may be suitable for the company to implement, to ensure a higher level of data protection.
It is good to keep in mind that it costs money for companies to take appropriate measures for data protection by design and by default in accordance with the GDPR. Therefore, it is good to budget for such expenses. Remember not to spend disproportionately if there are other less demanding ways that can achieve the same results.
XXX
XXX
XXX