The European Data Protection Board (EDPB) - an independent European body that helps contribute to the application of data protection rules across the European Union, recently adopted guidelines around how the General Data Protection Regulation's (GDPR) should be interpreted.

The guidelines, published November 13, emphasize the need for Data Protection by Design and by Default, a.k.a. DPbDD.

“In an increasingly digital world, adherence to DPbDD requirements play a crucial  part  in  promoting privacy and data protection in society. It is therefore essential that controllers take this responsibility seriously and implement the GDPR obligations when designing processing operations,” Andrea Jelinek, the Chair of the EDPB, wrote in the guidance, Guidelines 4/2019 on Article 25, Data Protection by Design and by Default.

Under this concept, controllers are required to implement appropriate technical and organizational measures and necessary safeguards and deploy data protection principles in a way that they protect the rights and freedoms of data subjects but also so their effectiveness can be demonstrated.

Under the EDPB's guidelines, organizations of all sizes - both small location associations and multinational companies – should consider DPbDD whenever planning a new processing organization. The concept should feed into "all stages of design," including tenders, outsourcing, development, support, maintenance, testing, storage, deletion, and so on.

After initiated, controllers have a “continued obligation” to maintain DPbDD. As the EDPB notes, a number of elements can change over the course of processing – “the nature, scope, context and purpose of the processing, the risk of varying likelihood and severity for rights and freedoms of natural persons posed by the processing.” That means the controller will need to re-evaluate their processing operations via regular reviews and assessments of the effectiveness of their chosen measures and safeguards.

When it comes to designing how data is processed, the EDPB said in its guidance that controllers need to keep tabs on technology and whether advances can allow for continued, effective implementation of data protection principles. The idea, dubbed “state of the art” by the EDPB essentially encourages controllers to apply the available and suitable technologies for data avoidance and minimization.

The guidance also includes further instructions around how to implement data protection principles outlined in Art. 5(1) of GDPR, information around certification with Article 42 (to demonstrate compliance with DPbDD) and how supervisory authorities enforce Article 25, as well.