Privacy by default in practice, according to the Spanish Data Protection Authority.

markus-spiske-iar-afB0QQw-unsplash.jpg

With few exceptions, the GDPR has been adopted identically throughout Europe. In Spain, the Spanish Data Protection Authority has weighed in on the general principle of data protection by default, a concept that is clear in theory but difficult to apply in practice:

According to the Spanish Data Protection Authority, the data controller (the company) must, by default, process only the data necessary for each specific processing purpose. This is exactly the opposite of what happens when, in an online form, you see that the box for subscribing to the newsletter is already checked.

The Spanish Data Protection Authority's guide [https://www.aepd.es/sites/default/files/2020-10/guia-proteccion-datos-por-defecto.pdf] provides practical guidance on how to apply this principle to data processing in accordance with the provisions of the GDPR and the guidelines adopted by the European Data Protection Board.

This document is intended for data controllers, DPOs, as well as developers and providers, insofar as they provide products and services to data controllers and seek to ensure that those controllers comply with the requirements of the GDPR.

The concept of privacy by default requires that the use of a dataset be segmented across different processing operations and across the various stages of processing, so that not all operations carried out as part of a processing operation are performed on all data, but only on the data that is necessary and only when strictly necessary.

The processing must be minimally intrusive (minimum amount of personal data, minimum scope of processing, minimum storage period, and minimum access to personal data) and must not require the involvement of the individual whose data is being processed.

The implementation of these measures focuses on optimization, configurability, and mitigation strategies.

The objective of optimization is to analyze data processing from the perspective of data protection, which involves implementing measures related to the amount of data collected, the scope of processing, and the storage and accessibility of that data.

The second strategy involves the configuration of services, systems, or applications, which must allow for the establishment of parameters or options that determine how the processing is to be carried out, and which are likely to be modified by the company as well as by the user.

Finally, this limitation ensures that, by default, data processing is as privacy-friendly as possible, so that the configuration options are appropriate for the parameters that limit the amount of data collected, the scope of processing, data storage, and data accessibility.

The guide also includes an operational and editable document outlining the measures to be taken to implement the default data protection strategies in Spanish, as well as a chapter on documentation and auditing, which are necessary to demonstrate compliance with the standard.

The principle of privacy by default does not stem from the results of a risk assessment regarding rights and freedoms, but rather consists of measures and safeguards that must be put in place whenever personal data is processed.

Back
Back

Sustainability and Corporate Governance: The Online Consultation Launched by the European Commission.

Next
Next

5G Technology: Speed, Data, and Liabilities.