Privacy by design

The two terms 'Privacy by Design' and 'Privacy by Default' are older than the new General Data Protection Regulation (GDPR). However, the law has given them a whole new meaning (Art. 25 GDPR).

'Privacy by design' means that the technical structure of a data processing system must be designed in such a way that data protection is already automatically integrated into the system. In other words, data protection must be a system property. This is done through the 'Technical and Organizational Measures' (TOM) when installing the computers and implementing their programs. This is the manufacturer's turn.

Specifically, however, the GDPR only mentions the obligation to pseudonymize (Art. 25, para. 1). This is then defined in more detail in Art. 4, para. 5. In all other points, however, the GDPR is extremely 'vague':
"...measures may include minimizing the processing of personal data, pseudonymizing personal data as quickly as possible, providing transparency regarding the functions and processing of personal data , enabling the data subject to monitor the processing of personal data and enabling the controller to create and improve security functions ..." (Recital 78).

'As quickly as possible', 'create transparency', 'minimize', 'enable' - all phrases that have so far created little more than a wide scope for interpretation.
In short, the rule of 'privacy by design' does not allow for a standardized answer; it depends on the respective data protection requirements. However, it is clear that the possible requirements of the GDPR must be taken into account when setting up a data processing system and when selecting and implementing the technology and software used.

Ask b.r.m. in Bremen. In addition to our resources in data protection through Harald Rossol and Rainer Dedermann, we also have extensive expertise in IT.