These new guidelines refer in particular to the interpretation of art. 25 of the GDPR. The developer must fully understand the principles of protection of personal data and the related rights and freedoms, developing adequate systems and protection measures necessary for the protection of personal data on the one hand and the freedom of development on the other.
In the new guidelines, the principles of privacy by design and by default are further elaborated, as well as recommendations to developers and producers in order to achieve the personal data protection objectives, also through the adoption of specific certifications and codes of conduct.
The principles of data protection by design must be implemented when the owner defines the methods used for the processing of personal data, taking into consideration factors such as the state of the art, the cost of the necessary implementations, the nature, the purpose, the context, the goal and the risk. It is therefore further underlined how in a context of cost-benefit analysis, the owner must immediately take into consideration the objective of privacy by design, as it could certainly be much more expensive to intervene afterwards to heal a process that has already started.
Once the procedure has been initiated, the developer still has the burden of maintaining the defined standard, also taking into account the level of risk that could change during the development phase, which could also condition the owner to re-evaluate the already implemented safety measures.
The new guidelines specify how this obligation to maintain / supervise / adapt the privacy system by design and by default is also mandatory with reference to systems pre-existing to the GDPR, which must therefore comply with the new guidelines if necessary.
Privacy by default, on the other hand, refers to the choices inherent to the configuration and processing options provided in a system such as a software application. The owner must first define the reasons why personal data are collected and stored. It follows that by default, the owner cannot:
- collect more data than is actually needed;
- keep data for a period of time longer than necessary;
- process the data for reasons that go over what was previously authorized by the interested party.
In the event that a data controller will use a third-party software for the personal data treatment, the same has the duty to carry out a preventive risk assessment on the third party product, in order to make certain and its conformity with the applicable regulations and the established objectives of protection of personal data. In general, the operational processes must be developed in order to process as little personal data as possible to achieve the intended purpose, also with reference to authorizations and access to the software itself.
In conclusion, the new guidelines define how an effective system for implementing technical and organizational measures in the context of privacy by default and by design can be summarized in the identification of a system for the minimizing personal data with reference to the specific purpose.