January 19, 2022

Volume XII, Number 19


January 18, 2022

Subscribe to Latest Legal News and Analysis

New European Data Protection Board Guidance on Data Protection by Design and by Default

The European Data Protection Board recently requested comments on its data protection “by design and default” guidelines. Comments are due by mid-January of next year. The Guidelines provide clarity about how to address GDPR’s requirement that companies take “appropriate” technical and organizational steps to protect personal information and individuals. Part of the law’s requirements, according to the guidelines, is that companies can show that the measures they took are effective.

The guidelines stress that measures taken must be appropriate and integrate “necessary safeguards” into the processing of personal information. Measures might range from training to use of advanced technical tools. Examples of potentially appropriate safeguards might include, according to the Guidelines, data deletion reminders, malware detection systems, pseudonymization of data, or training employees about phishing. Important to the EDPB is that companies can demonstrate that the measures they took are designed to protect “data subjects rights and freedoms” as those are set out in GDPR (Articles 12-22). The Guidelines suggest that companies can use key performance indicators to measure compliance, such as looking at quantitative measures (fewer complaints, faster response time) or qualitative ones (expert assessments, grading scales). The company could, alternatively, show their rationale for how they have chosen to assess the effectiveness of the safeguards they selected.

With respect to the concept under GDPR of using “state of the art” measures, the EDPB clarifies in the Guidelines that this means thinking about currently available technologies and organizational measures, and thus staying up-to-date on what is available in the market. The Guidelines state that this requirement under GDPR is dynamic, and thus a company that was at one point compliant may no longer be so in the future if it fails to keep up with developments. The Guidelines also provide input on extent of processing, storage limits, and accessibility, among other details.

The Guidelines conclude by providing examples of operationalizing the data by design approach (which the EDPB calls DPbDD). One, for example, is of a company that is considering purchasing a CRM platform to let it centralize the information it maintains about its customers. The CRM will also let the company pull in public information and better assess its customers “purchasing power.” To address the requirements of DPbDD, the EDPB example has the company require of the CRM platform provider that it map the processing activities within the CRM to the purposes relevant to the company, and flag when processing activities are not aligned with the company’s legitimate purposes. The company can then consider to either (1) establish a new legal basis for processing or alternatively (2) not use that part of the CRM platform tool.

After the public comment period closes on 16 January 2020, the Guidelines will be finalized by the EDPB.

Putting it Into Practice: Companies operating in Europe should review these guidelines carefully, as they provide detailed information about expectations from the EDPB regarding security by design. Of particular interest are the examples provided by the EDPB for different ways to operationalize DPbDD.

Copyright © 2022, Sheppard Mullin Richter & Hampton LLP.National Law Review, Volume IX, Number 344

About this Author

Liisa Thomas, Sheppard Mullin Law Firm, Chicago, Cybersecurity Law Attorney

Liisa Thomas, a partner based in the firm’s Chicago and London offices, is Co-Chair of the Privacy and Cybersecurity Practice. Her clients rely on her ability to create clarity in a sea of confusing legal requirements and describe her as “extremely responsive, while providing thoughtful legal analysis combined with real world practical advice.” Liisa is the author of the definitive treatise on data breach, Thomas on Data Breach: A Practical Guide to Handling Worldwide Data Breach Notification, which has been described as “a no-nonsense roadmap for in-house and...

Kari Rollins Intellectual Property Lawyer Sheppard

Kari M. Rollins is a partner in the Intellectual Property Practice Group in the firm's New York office.

Areas of Practice

Ms. Rollins focuses her practice on privacy and complex commercial litigation matters. She has successfully represented clients in the financial services, audit and accounting, food services, retail, and fashion industries before state and federal courts, as well as in front of state attorneys general, federal regulators, and U.S. and international commercial arbitration forums....

Elfin Noce Business Trial Attorney

Elfin L. Noce is an Associate in the Business Trial Practice Group in the firm's Washington, D.C. office.


  • Litigation


  • Communications


  • J.D., University of Missouri, Columbia, 2005

  • B.A., Truman State University, 2000


  • *Not admitted in District of Columbia; supervised by partners of the firm

  • Missouri