What does ‘data protection by design and by default’ mean under EU Data Protection Law?
Key points:
European Data Protection Law requires appropriate technical and organizational measures to implement the data protection principles and safeguard individual rights. This is called ‘data protection by design and by default’.
In essence, this means controllers must integrate or ‘bake in’ data protection into processing activities and business practices from the design stage and throughout the lifecycle.
This concept is related to the concept of ‘privacy by design’. Data protection by design is about considering data protection issues upfront. It helps ensure compliance with fundamental principles and requirements, and forms part of the focus on accountability.
Controllers bear the burden to comply with data protection by design and by default.
Controllers must only use processors that provide sufficient guarantees to meet the data protection by design and by default requirements.
Developers and designers have no specific obligations about how to design and build these products (although they may have specific obligations as a controller in their own right, eg for any employee data.) However, because controllers are required to consider data protection by design…
