Art. 25 GDPR includes the following:
Taking into account [..], the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organizational measures [..] which are designed to implement data-protection principles [..] in an effective manner and to integrate the necessary safeguards into the processing [..].
The main obligation for controllers stated in Art. 25(1) GDPR is thus that they “shall [..] implement appropriate technical and organizational measures [..] which are designed to implement data-protection principles”(see the “Main Principles” section in the general part of these Guidelines).
Throughout the GDPR, the implementation of technical and organizational measures is stated to be the way to comply with data protection principles. This implies, that everything a controller does in support of the data protection principles must be considered to be a measure. Consequently, the concept of measure must be understood in a very broad sense. This means that it is not restricted to physical artefacts (such as firewalls), or specific actions (such as training of staff). It must also encompass all considerations and decisions that are necessary to determine the means of processing in a manner that is compliant with the principles and obligations of data protection.
Art. 25(1) GDPR also states that these measures shall be implemented “in an effective manner”. Efficiency will therefore be analyzed below.
Furthermore, Art. 25(1) states that the measures are implemented “to integrate the necessary safeguards into the processing”. In other words, the implementation of measures is the way to achieve the objective of integrating the necessary safeguards into the processing. Grammatically, this interpretation becomes even clearer when expanding “to integrate” into its complete form of “in order to integrate”. The “to” excludes the interpretation that, in addition to the implementation of measures, also the integration of safeguards is required.
Arguably, the essence of Art. 25(1) lies in the wording “both at the time of the determination of the means for processing and at the time of the processing itself”. This means that the implementation of the measures has to happen in two distinct periods of time. It thus implies a phase-model for a processing activity. This is compatible with the understanding of data protection by design, as considering data protection in every phase of a processing activity. The legal interpretation of the phases of processing addressed in Art. 25(1) is provided in the following subsection.
1This includes among others Art. 24, 25, and 32 GDPR. ↑