Data protection by design and default: what data controllers need to know and do

Reading Time: 5 minutes
Data protection by design and default: what data controllers need to know - and do 


Krys Assan | Data Protection Advisor

Date: 27 June 2023

The Future of Privacy Forum (FPF), a prominent Washington thinktank, published a May 2023 report reflecting on data protection by design and by default. Data controllers’ duty to implement appropriate technical and organisational measures (‘TOMS’) was a novel obligation introduced into EU data protection law in 2018 through Article 25 GDPR. The law requires controllers to introduce measures that effectively operationalise data protection principles, facilitate individual data protection rights and embed compliance with legislation. Data protection by design must be at the forefront of data governance considerations when procuring and governing technologies, from common applications to state-of-the-art artificial intelligence (AI). Moreover, the duty to comply applies to any organisational process that involves personal data. Yet, beyond a single general indication of what such measures might entail, the GDPR is silent on what organisations must do to comply. On the one hand, this is a benefit, as controllers retain discretion as to what TOMS to select. On the other, the lack of clarity creates uncertainty for organisations as to what will satisfy or will not satisfy the obligation. The FPF report speaks to this gap by examining what Article 25 requires in practice and how it is enforced.

FPF’s 84-page contribution to current understanding on data protection by design represents a significant synthesis of regulatory, judicial and academic literature from the European Economic Area (EEA) and United Kingdom (UK). Its findings draw on 82 enforcement decisions issued by data protection authorities (DPAs). Additionally, case studies address the application of Article 25 in a wide range of public and private contexts, ranging from healthcare processing to employee monitoring and direct marketing to technology in educational settings. This article extracts the most important, actionable insights on what data protection by design entails in practice from the FPF report. Page numbers relate to the FPF report, unless otherwise cited.

How to comply with Article 25 GDPR

Technical measures matter – but organisational controls do as well.

There is a misconception that data protection by design and by default is primarily a technical concept, synonymous with privacy-enhancing technologies. Yet FPF’s findings stress that neither technical nor organisational safeguards are likely to satisfy Article 25 on their own. EDPB Guidelines mandate that controllers must keep apprised of state-of-the-art attacks and countermeasures, security best practices and current technical solutions for achieving compliance (pp. 7-8). However, DPAs also evaluate policies, employee training and adherence to best practice and codes of conduct when assessing compliance, which demonstrates the importance of non-technical measures as well.

Generic safeguards will not stave off fines.

Organisations have been fined where TOMS were general in nature: failing to address specific scenarios that would reasonably arise given the particular nature of a controller’s activities. Implementing common, broad safeguards – encryption, staff training, confidentiality agreements, antivirus tools, software updates and audit logs, for instance – have not protected controllers from enforcement action. Instead, meaningful, targeted risks assessments should determine what TOMS controllers choose. Moreover, TOMS must be subject to ongoing review. Controllers that have neglected to maintain the effectiveness of TOMS after implementing them have experienced enforcement action (see below).

Effectiveness is key.

The EDPB has stated that ‘effectiveness is at the heart of the concept of data protection by design’ – that ‘each implemented measure should produce the intended results’ (EDPB Guidelines 4/2019, para 13). In conjunction with the accountability principle, it is evident that, first, controllers must be able to demonstrate that measures have an actual effect. This can be achieved by establishing key performance indicators, such as quantitative or qualitative metrics, or by documenting the rationale behind such measures. Second, combined with the requirement that requirement that TOMS must be in place before and during processing, Article 25 sets a higher bar than initial due diligence. It is not sufficient that TOMS merely exist; they must be effective at all times. For example, where a Finnish company did not respond to access requests due to a technical failure that lasted 7 months, the DPA issued a fine, determining that the controller neglected to ensure the tool’s functionality. FPF observes that the mere establishment of a measure is not sufficient; ‘it must also be functional at all times’ (p.18). Thus, the obligation to effectively implement the GDPR is ongoing and does not end with a data protection impact assessment prior to processing.

Beware cost-based justifications for non-compliance.

Article 25(1) expressly names ‘cost of implementation’ as a criterion that controllers may consider when selecting TOMS. Notwithstanding, the Italian DPA fine an organisation which failed to secure whistleblower data with encryption on the basis that it would be too costly (p.14). FPF finds that DPAs are not sympathetic to defences to enforcement action basis on the expense of implementing effective safeguards (p.60).

The Article 25 obligation may be proactive.

European DPAs take divergent approaches to the question of whether Article 25 is to be interpreted preventatively – where processing is yet to begin, or breaches of data subject rights or security are yet to occur. The Irish DPA is notable in its willingness to enforce Article 25 against controllers whose planned, but not yet implemented, processing activities would breach the GDPR.

Processor oversight is paramount.

Controllers must assess whether processors provide sufficient guarantees to institute appropriate TOMS for GDPR compliance. Even where an organisation has no role in designing a tool, the act of procuring a product amounts to determining the means and purposes of processing, thus qualifying the procurer as data controller. This creates a tension: responsibility for complying with Article 25 rests with the controller, while key design choices sit outside its grasp. For example, the Belgian DPA fined a public authority that integrated a Microsoft login solution to its website after Microsoft unilaterally implemented a change that required citizens to use its account to access public services (p.11). The case study shows that when processors change a tool, controllers must assess the impact of these changes on compliance.

Moreover, processor oversight is an ongoing obligation spanning the contract term. Article 25 applies ‘at the time of the determination of the means of processing and at the time of processing itself’ (Art 25(1)). DPAs have held controllers accountable for failing to continuously oversee processors whose activities led to breaches. For instance, a controller may opt to assess the ongoing effectiveness of a processor’s TOMS by evaluating its methods to detect security vulnerabilities by audits or inspections. Undertaking data protection impact assessments (Article 35) and putting processor contracts in place (Art 28) at the outset of a new relationship are necessary, but not sufficient, compliance objectives.

Infringements of Article 25 often involve other compliance breaches as well.

Breaches of Article 25 will be enforced independently and are subject to administrative fines up to 10,00,000 EUR or up to 2% total annual worldwide turnover (AWT). However, failure to comply with the duty to implement data protection by design and by default often involves contraventions of multiple data protection principles. In Finland, for instance, use of a public task lawful basis for software that was not strictly necessary for the public function violated the lawfulness principle as well. The Irish DPA found that Airbnb violated the data minimisation principle by requiring that individuals submitting access requests verify their identity in cases where identity was not contested (p.25). Since breaches of data protection principles or data subject rights are subject to higher tier fines of up to 20,000,000 EUR or 4% AWT, failing to engage with Article 25 can be a costly oversight for controllers.


Navigating the legal uncertainty of Article 25 to operationalise data protection by design and default remains a key compliance challenge. Organisations should engage with forthcoming EDPB guidelines on anonymisation and pseudonymisation and UK guidance on privacy enhancing technologies. Additionally, the International Standards Organisation recently published a new privacy by design, ISO 37100-1:2023, to help organisations move from principle to compliance.

Trilateral’s experienced data protection advisors are available to assist organisations to build compliance into procurement and data governance. Get in touch with us today to find out how we can effectively support the implementation data protection by design in your organisation.

Related posts

Let's discuss your career