From Privacy by Design to Data Protection by Design: The Challenges of Turning Good Practice into a Legal Obligation

Wednesday, August 14, 2019 - 2:30 pm3:20 pm

Achim Klabunde, Adviser on Technology and Data Protection to the European Data Protection Supervisor EDPS


With the full applicability of the GDPR since 25 May 2018, "Data protection by Design" became a legal obligation for all organisations processing personal data under the legislation of the EU, referred to as "controllers". They have to "implement data-protection principles (...) in an effective manner and to integrate the necessary safeguards into the processing", according to Article 25 of the GDPR. This new situation creates a challenge not only to the controllers themselves, but also to the supervisory authorities, the courts and other regulatory actors who need to establish practicable and measurable criteria to determine whether an existing data processing operation complies or not with the requirement. They have to assess concrete solutions against the state of the art and the effectiveness of the measures.

The GDPR addresses the entire life cycle of data processing systems, from the early design to productive operation, and considers both the technology as such and the organisational context around it. The new situation brings new challenges for privacy engineers. Not only will they have to consider what constitutes the state of the art, it will also be necessary to consider the full range of data protection principles in the development of new technologies and solutions. Is the discipline of privacy engineering already mature enough to face this comprehensive demand? Are their gaps in the portfolio of existing PETs and methods that research and development need to address? How can the GDPR's idea that public sector customers can advance the state of the art in data protection by design through their procurement work? What actions can create incentives for suppliers to improve the technical data protection measures?

The privacy engineering community should discuss which tools and instruments can address these challenges - design patterns, software catalogues, tool boxes, check lists - and their methods of usage.

Achim Klabunde, EDPS Technology Advisor

Achim Klabunde is the Advisor on Technology and Data Protection to the European Data Protection Supervisor. He provides the elected supervisors with expertise on the impact of existing and emerging technologies on the fundamental rights of individuals through the processing of personal data. A computer scientist with industry experience in software projects and in technology policy in the public service, his work focuses on the interaction between data protection and privacy rights and technological development.

USENIX Security '19 Open Access Videos Sponsored by
King Abdullah University of Science and Technology (KAUST)

Presentation Video