DATA PROTECTION
EDPS enacts the Opinion 5/2018 on the practical implementation of the "privacy by design" principle.
With the full applicability of the General Data Protection Regulation in the EU as of 25 May 2018, data protection by design and by default becomes an enforceable legal obligation. We need to keep the momentum going so that this new obligation can increase the effectiveness of the protection promised by the GDPR. This shall contribute to this target by raising awareness, promoting the creation of public value and societal wellbeing and by calling on all stakeholders to engage in a responsible discussion with a view to take the appropriate actions.
This Opinion distinguishes between the general principle of “Privacy by Design” which encompasses an ethical dimension consistent with the principles and values of the EU Charter of Fundamental Rights, and the specific legal obligations provided by Article 25 of the GDPR to which we refer as “Data Protection by Design” and “Data Protection by Default”. The Opinion briefly recalls the history of the principle of privacy by design from the initial research on technologies for privacy until the GDPR. It also analyses the content of Article 25 and its relationship with other articles. It also considers other elements of EU legislation which refer to privacy by design. Furthermore, some implementations outside the EU are presented. In an overview of the state of the art, the Opinion provides examples of methodologies to identify privacy and data protection requirements and integrate them into privacy engineering processes with a view to implementing appropriate technological and organisational safeguards.
Some of these methodologies define data protection goals directly from privacy and data protection principles, such as those of the GDPR, or derive them from operational intermediate goals. Other methodologies are driven by risk management. The design and operation process needs to consider the whole life cycle of a service or a product, from initial planning to service/product disposal. The techological overview includes also standardisation efforts to integrate privacy requirements in system design and the state of the art of privacy enhancing technologies. There is a need to advance the state of the art and the use of privacy enhancing solutions. While research has been increasing as well as initiatives dedicated to the development of the privacy engineering discipline, this is not yet enough to drive a change in the effectiveness of the protection of individuals and their personal data. Organisations can only have benefits from adopting a privacy by design approach. Policies promoting privacy enhancing technologies and strategies should be within the priorities of the EU agenda and public administrations must lead by example. The IPEN initiative will be a vehicle to promote privacy enhancing technologies among stakeholders at the international level.
This Opinion distinguishes between the general principle of “Privacy by Design” which encompasses an ethical dimension consistent with the principles and values of the EU Charter of Fundamental Rights, and the specific legal obligations provided by Article 25 of the GDPR to which we refer as “Data Protection by Design” and “Data Protection by Default”. The Opinion briefly recalls the history of the principle of privacy by design from the initial research on technologies for privacy until the GDPR. It also analyses the content of Article 25 and its relationship with other articles. It also considers other elements of EU legislation which refer to privacy by design. Furthermore, some implementations outside the EU are presented. In an overview of the state of the art, the Opinion provides examples of methodologies to identify privacy and data protection requirements and integrate them into privacy engineering processes with a view to implementing appropriate technological and organisational safeguards.
Some of these methodologies define data protection goals directly from privacy and data protection principles, such as those of the GDPR, or derive them from operational intermediate goals. Other methodologies are driven by risk management. The design and operation process needs to consider the whole life cycle of a service or a product, from initial planning to service/product disposal. The techological overview includes also standardisation efforts to integrate privacy requirements in system design and the state of the art of privacy enhancing technologies. There is a need to advance the state of the art and the use of privacy enhancing solutions. While research has been increasing as well as initiatives dedicated to the development of the privacy engineering discipline, this is not yet enough to drive a change in the effectiveness of the protection of individuals and their personal data. Organisations can only have benefits from adopting a privacy by design approach. Policies promoting privacy enhancing technologies and strategies should be within the priorities of the EU agenda and public administrations must lead by example. The IPEN initiative will be a vehicle to promote privacy enhancing technologies among stakeholders at the international level.
