The objective of data protection by design is to integrate (or implement) in all phases of a processing activity appropriate technical and organizational measures that implement data protection principles.
The EDPB’s guidelines on DPbDD contain a major section on “implementing data protection principles in the processing of personal data using data protection by design and by default”. It is structured by the data protection principles that have to be applied. The guidelines by the EDPB do not address the question of how to apply DPbDD in the different phases.
This section on how to apply data protection principles does not focus on a description of the principles themselves as do the EDPB guidelines (independently of phases); a detailed description of the guidelines was already provided in the according chapter of the PANELFIT guidelines (see the “Main Principles” section in the general part of these Guidelines). In fact, this section discusses the processes that can be used to apply these principles in every of the three phases that was identified in the analysis of Art. 25(1) above.
What is thus common to all three phases is that they use the principles of data protection in every work step (or decision) in order to
- identify risks that lead to the violation or inadequate implementation of a principle, and
- identify appropriate technical and organizational measures that mitigate these risks.
The actual measures to implement largely depend on the nature, scope, context and purposes of processing. It is therefore not possible to provide a complete list of appropriate measures for each tuple of phase (or task within a phase) and principle. This section therefore describes the process of identifying appropriate measures. A detailed discussion (with examples) of measures to implement the various principles have been provided in the according section of the Guidelines.
The following discusses the phases of determining the purposes, determining the means, and the processing itself in more detail.