The European Data Protection Board (EDPB) recently published new Guidelines to help businesses comply with their obligation to adopt a Data Protection by Design and by Default (DPbDD) approach when processing personal data.
Article 25 GDPR requires controllers to implement appropriate technical and organisational measures and safeguards that provide effective implementation of the data protection principles, and protect data subjects’ rights, by design and by default. Article 25 prescribes both design and default elements that should be taken into account.
A controller must adopt a DPbDD approach at all stages of developing processing activities, including tenders, outsourcing, development, support, maintenance, testing, storage, deletion, etc. The importance of complying with the DPbDD obligation is underlined by the fact that it is a factor for competent supervisory authorities to consider when determining whether to impose an administrative fine and the level of that fine (Article 83(2)(d)).