Effectiveness of measures
Home » The GDPR » Main Concepts » Data Protection by Design and by Default (DPbDD) » Analysis of Article 25. Data protection by design » Effectiveness of measures

The following analyzes the requirement of Art. 25(1) GDPR that the measures need to be implemented “in an effective manner”. It does so in the context of the other wording of Art. 25(1) GDPR.

Unlike the previous analysis, the present one will not be used to identify areas for which measures have to be found. It will be used as an important aspect that needs to be considered for each of the proposed measures.

Art. 25(1) GDPR mandates controllers to implement appropriate measures “which are designed to implement data-protection principles” in order “to integrate the necessary safeguards into the processing”. In this context, the requirement of effectiveness expresses that it is not an objective in its own right to implement measures. In fact, measures are only of value based on their effectiveness to implement the data-protection principles and tointegrate safeguards. Consequently, just implementing measures without considering their effectiveness would be a futile exercise.

The contexts relative to which effectiveness has to be analyzed are provided in Art. 25(1) GDPR in form of the aspects which controllers need to take into account. Namely, these aspects are the following [listed in a different order than used in the text of the GDPR]:

  • the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing”,
  • the cost of implementation”,
  • the state of the art”, and
  • the nature, scope, context and purposes of processing”.

When considering effectiveness in the contexts of the risks to affected natural persons, it is evident that the measure must be effective to mitigate the risks. It also implies a certain proportionality relative to the magnitude of the risks. When considering a set of implemented measures, their effectiveness is sufficient if it is suited to mitigate the risk to an acceptable level.

When considering the effectiveness in the context of cost, the GDPR seems to acknowledge that the resources available to implement measures are limited and should be used effectively. This permits controllers to use less expensive, cost-effective, measures in place of expensive ones with a similar effect. In other words, the criterion is effectiveness, not affordability or cost to the controllers as such. While the consideration of cost leaves the possibility that a cost can be deemed excessive, high cost cannot be used as a justification to disregard the effectiveness required in different contexts. If the costs required to ensure an adequate level of guarantees are too high for a controller, the controller should refrain from the processing activities.

When considering the effectiveness in the context of the state of the art, the consequences are two-fold. On one hand, it prevents controllers from ignoring new measures and refraining to update the level of protection to what is offered by the state of the art. On the other hand, a controller cannot be obliged to implement measures that have been outlined in some research paper without having been tested or rendered usable in an operational environment. In situations where controllers rely on the market to provide certain kinds of software, controllers may be justified to limit the implemented measures to those actually available on the market, if these are sufficient to provide effective protections. As in the context of cost, this cannot waive effectiveness requirements in other contexts, however.

In the context of security measures, the state of the art has a particular meaning. Cybersecurity can be seen as an arms race between attackers and defenders. In the ever evolving threat landscape, whenever defenders mind more effective means of thwarting attacks, attackers find more sophisticated means of attack. This makes it evident that the concept of an “effective defense” is constantly moving. In this context, current information about threats and available defenses are important when assessing the effectiveness of implemented measures. Also, a failure to implement new measures, for example in the form of security-critical updates or patches, cannot be justified by controllers (except in the rare event where the new measures are irrelevant to the processing activities and the related risks).

Note that the EDPB points out in their guidelines on DPbDD that the state of the art is not only defined by technical measures, but also includes organizational measures such as frameworks, standards, certification, and codes of conduct[1].

When considering the effectiveness relative to the nature, scope, context and purposes of processing, it is acknowledged that measures have to be matched with the processing at hand. A measure that is effective for a traditional information system that supports humans who make decisions may not be effective when applied to a machine-learning application that makes automatic decisions; a measure that works fine for low-volume processing in a small environment may not scale up to high-volume processing; and a measure that works effectively when using trustworthy processors (whom themselves are subject to the GDPR) may not be effective and sufficient when using less trustworthy processors (such as those located in 3rd countries and not themselves bound by the GDPR).

Art. 5(2) requires that controllers must be able to demonstrate compliance with the GDPR. An important aspect of this is to be able to demonstrate that the implemented measures are indeed effective. It should be an integral part of the process of making decisions about which measures to implement. The dimensions of effectiveness are given in Art. 25(1) and have been discussed above.


1See paragraph 22 of EDPB guidelines on DPbDD.


Skip to content