Here the complete recorded presentation for the speach "GDPR & AML what can go wrong" :

<iframe width="560" height="315" src="https://www.youtube-nocookie.com/embed/dcloDlNi554" title="YouTube video player" frameborder="0" allow="accelerometer; autoplay; clipboard-write; encrypted-media; gyroscope; picture-in-picture" allowfullscreen></iframe>

A general presentation General Data Protection Regulation (GDPR) within the context of AML (KYC) 

GDPR and AML, what can go wrong ?


The General Data Protection Regulation (GDPR), enacted in May 2018, has profoundly reshaped the landscape of data privacy, extending its influence well beyond the borders of the European Union. Designed to protect the personal data of individuals and uphold their privacy rights, GDPR introduces a comprehensive framework that mandates stringent guidelines for data handling practices. As businesses increasingly operate on a global scale, understanding the scope and applicability of GDPR becomes essential, particularly for companies located outside the EU that engage with EU residents.

The extraterritorial reach of GDPR signifies its global impact, compelling non-EU organizations to adhere to its provisions under specific circumstances. This broad applicability ensures that data privacy is consistently maintained across international boundaries, fostering trust between consumers and businesses. Non-compliance with GDPR can lead to severe financial penalties, damage to reputation, and disruptions in business operations, underscoring the necessity for global enterprises to prioritize GDPR adherence.

This article provides a comprehensive exploration of how GDPR applies to non-EU companies, examining the regulation's scope, legal obligations, notable enforcement cases, and best practices for achieving compliance. By delving into these aspects, organizations can navigate the complexities of international data protection regulations and implement effective strategies to safeguard personal data and maintain trust with their global clientele.

## 1. Scope and Applicability of GDPR to Non-EU Companies

The GDPR's extraterritorial application is articulated in [Articles 3(1)](https://eur-lex.europa.eu/eli/reg/2016/679/oj) and [3(2)](https://eur-lex.europa.eu/eli/reg/2016/679/oj) of the regulation. These articles delineate the conditions under which non-EU companies are required to comply with GDPR. Specifically, GDPR applies to any organization, irrespective of its geographical location, that processes personal data of individuals residing in the EU, provided that the processing activities relate to offering goods or services to these individuals or monitoring their behavior within the EU. This encompasses a wide array of activities, including online services, marketing initiatives, and data analytics.

Determining GDPR's applicability involves a thorough assessment of a company's business activities in relation to EU residents. Companies offering goods or services to EU individuals, whether for payment or free, fall under the scope of GDPR. Additionally, organizations that monitor the behavior of EU residents, such as through cookies, website analytics, or targeted advertising, are subject to GDPR requirements. Beyond digital interactions, establishing a physical presence in the EU, such as setting up branches or employing staff within EU member states, also triggers GDPR obligations.

Certain sectors face heightened scrutiny under GDPR due to the sensitive nature of the data they handle. For instance, healthcare companies dealing with health-related information must adhere to stricter GDPR provisions. Similarly, financial institutions offering services to EU clients must implement rigorous data protection measures. Technology and SaaS companies providing software solutions to EU users must ensure data portability, consent management, and robust security protocols are in place. Understanding these sector-specific considerations is vital for non-EU companies to effectively determine their GDPR compliance requirements.


## 2. Legal Obligations and Compliance Strategies

Compliance with GDPR necessitates a comprehensive understanding of its legal obligations and the implementation of effective strategies to meet these requirements. [Article 24](https://eur-lex.europa.eu/eli/reg/2016/679/oj) of GDPR emphasizes the responsibility of data controllers to implement appropriate technical and organizational measures to ensure and demonstrate compliance. This includes maintaining detailed records of data processing activities, ensuring data security, and facilitating individuals' rights to access, rectify, and erase their personal data.

A fundamental aspect of GDPR compliance for non-EU companies is establishing a lawful basis for data processing. [Article 6](https://eur-lex.europa.eu/eli/reg/2016/679/oj) outlines the conditions under which personal data processing is considered lawful, including consent, contractual necessity, legal obligation, vital interests, public task, and legitimate interests. Implementing robust consent management systems that allow users to explicitly opt-in and easily revoke consent is crucial. Additionally, maintaining detailed documentation of the lawful basis for each data processing activity is essential for demonstrating compliance during audits.

Data subject rights are another cornerstone of GDPR compliance. The regulation grants individuals substantial rights concerning their personal data, including the right to access, rectify, erase, restrict processing, data portability, and object to processing. Implementing user-friendly interfaces for individuals to exercise these rights, utilizing automated systems to handle requests efficiently, and training staff to recognize and respond to data subject requests appropriately are critical strategies for ensuring compliance.

Incorporating data protection by design and by default is mandated by GDPR, requiring organizations to integrate data protection measures into the development of business processes and systems from the outset. This involves conducting regular data protection impact assessments (DPIAs) to identify and mitigate potential privacy risks, collecting only the data necessary for specified purposes, and implementing techniques to anonymize or pseudonymize personal data to enhance privacy.

## 3. Notable Cases of GDPR Enforcement on Non-EU Companies

Understanding the practical implications of GDPR compliance is best achieved by examining real-world cases where non-EU companies faced enforcement actions. These cases highlight the importance of adhering to GDPR principles and the potential consequences of non-compliance, serving as precedents and warnings to other non-EU companies about the seriousness of GDPR enforcement.

One of the most prominent cases involves Facebook (now Meta), which faced a €390 million sanction for the misuse of legitimate interests. The fine was related to the company's processing of personal data without proper consent, underscoring the necessity for clear and lawful processing grounds. This case illustrates the critical importance of conducting thorough lawful basis assessments and maintaining transparency in data processing activities.

Google LLC was subjected to significant fines from the French Data Protection Authority (CNIL) for GDPR violations. In early 2019, CNIL fined Google €50 million for lack of transparency, inadequate information, and lack of valid consent regarding ad personalization. This case emphasizes that user consent must be freely given and informed, and that privacy notices must be clear and accessible.

The British Airways data breach, which affected approximately 500,000 customers, led to a proposed fine of £183 million for inadequate security measures. This incident highlights the necessity of robust security protocols and timely breach notifications to mitigate the impact of data breaches and demonstrate compliance. Similarly, the Marriott International data breach resulted in a £18.4 million fine for failing to protect personal data, emphasizing the importance of continuous monitoring and timely response strategies.

These landmark cases serve as critical lessons for non-EU companies, illustrating that non-compliance can result in substantial financial penalties and reputational damage. They highlight the importance of adhering to GDPR principles, implementing robust data protection measures, and maintaining transparency and accountability in data processing activities.


## 4. Best Practices and Future Trends for Non-EU Companies

Navigating GDPR compliance presents several challenges for non-EU companies, including the complexity of GDPR requirements, resource constraints, cultural and operational differences, and an evolving regulatory landscape. Addressing these challenges effectively involves adopting best practices that facilitate compliance and foster a culture of data protection within the organization.

Conducting a comprehensive GDPR gap analysis is essential for assessing current data processing activities against GDPR requirements. This involves auditing data processing activities to map out data flows, identifying data types, and understanding how data is collected, stored, processed, and shared. Evaluating potential risks associated with data processing activities and determining their impact on data subject rights helps in prioritizing areas for improvement. Developing a detailed action plan to address identified gaps, including timelines, resource allocation, and responsibility assignments, is crucial for effective compliance.

Appointing a dedicated Data Protection Officer (DPO) ensures that data protection strategies are effectively implemented and maintained. The DPO's responsibilities include providing guidance on GDPR compliance, overseeing data protection policies, and acting as the liaison between the organization, data subjects, and supervisory authorities. For non-EU companies, appointing a representative within the EU can facilitate communication with EU data protection authorities and streamline compliance efforts.

Implementing comprehensive training programs educates employees about GDPR principles, data handling best practices, and their roles in ensuring compliance. Regular training sessions, role-specific training programs, and ongoing awareness campaigns are vital for fostering a culture of data protection. Additionally, investing in robust cybersecurity infrastructure, including encryption, strict access controls, and intrusion detection systems, is crucial for protecting personal data from breaches and unauthorized access.

Developing clear and transparent privacy policies ensures that privacy notices are easily accessible, written in clear language, and provide comprehensive information about data processing activities. Effective privacy policies should articulate the purpose of data processing, inform individuals about their rights under GDPR, and disclose any data sharing with third parties.

Leveraging data protection technologies, such as [Legiscope's GDPR compliance SaaS platform](https://www.legiscope.com), facilitates data mapping, consent management, and compliance monitoring, streamlining GDPR adherence. These technologies offer features like automated compliance checks, consent management tools, and data mapping solutions, which enhance efficiency and accuracy in maintaining compliance.

Looking ahead, data privacy regulations are evolving to address emerging challenges and technological advancements. Regulatory harmonization, with countries adopting GDPR-like regulations, is fostering a more unified approach to data protection. Innovations such as artificial intelligence (AI) and machine learning (ML) are being integrated into data protection strategies to enhance data security and compliance monitoring. Additionally, there is an increasing emphasis on data ethics, encouraging organizations to adopt ethical data practices that respect individuals' privacy and promote trust.


## Conclusion

The applicability of GDPR to companies outside the European Union underscores the regulation's global influence in shaping data protection standards. Non-EU organizations must navigate a complex legal landscape to ensure compliance, which involves understanding the regulation's scope, implementing robust data processing frameworks, and managing cross-border data transfers effectively. Landmark cases, such as the substantial fines imposed on major tech companies, illustrate the serious consequences of non-compliance and highlight the critical importance of adhering to GDPR principles.

As data continues to play an integral role in business operations worldwide, understanding and adhering to GDPR requirements remains essential for sustaining trust and achieving operational excellence in the realm of data privacy. By embracing robust data protection measures and staying informed about evolving regulations, non-EU companies can mitigate risks, foster a culture of transparency and accountability, and secure long-term trust with their customers.

An in-depth analysis of the applicability of GDPR to non-EU companies, including legal obligations, case studies, and practical compliance strategies.

Does GDPR Apply to Companies Outside of the European Union?

The notion of personal data is without question the most important component of the GDPR, because **it defines if GDPR applies or not**. If an organization is processing personal data it is mandatory to ensure compliance with all provisions of the GDPR (99 articles - 100 pages). However, none of these obligations will apply if no personal data is involved. Let's illustrate that by a diagram :

<center><img src="/img/blog/what-is-personal-data-gdpr.png" alt="Personal data" style="width:60%;"/></center>

So understanding what is personal data has real important consequences. Let's dive into the notion.

## I. - The notion of personal data and first examples

The simplest way to understand personal data is : any data that allows to identify directly or indirectly a natual person. It's very a simplified version of the legal definition given by article 4, but it has the benefit of being extremely clear and handle 90% of the situations. Now let's look at a few practical examples.

**Here are some practical examples of personal data :**
- A first name combined with a last name 
- A social security number
- An IP address - as long as there's a natural person behind it 
- A photo of a person
- The recording of a person's voice
- Licence plates
- Someone's CV
- A person's LinkedIn profile

E-commerce orders naturally process personal data : 

<center><img src="/img/blog/personal-data-e-commerce.png" alt="Personal data" style="height: 400px; margin-bottom:40px;" /></center>

**Personal data is not private data**

Personal data is frequently confused with private data - as taken in the sense of "my personal diary" or as data that is intimate to a person. The legal definition is much broader: any data that allows the identification of a person enters the GDPR's scope.

In real life, personal data are always integrated into personal data processing. For example, a company collects emails for its newsletter. Once we've identified that an organization is processing personal data, it's important to be able to record the fact that there is personal data processing, as this is required by law. Let's take a few examples of personal data processing.

## II. - Examples of personal data processing

Here are some classical examples of personal data processing for which organizations will need to ensure compliance:

- HR : recruitment (CV, LinkedIn...), employee payment processes
- Marketing : a newsletter, a blog 
- Sales: CRM
- IT : logs, company's email & messaging, backups
- Operations : company's phones, renting offices...

Let's now look a bit deeper into the legal definition.

## III. - The legal definition of personal data 

So far, we've introduced a simple definition that is great for a first understanding of the concept but that is also imperfect. So let's take look at its exact definition.

The notion of personal data has been defined in [article 4](http://eur-lex.europa.eu/legal-content/EN/TXT/HTML/?uri=CELEX:32016R0679&from=EN): 

>For the purposes of this Regulation:
>(1) ‘personal data’ means any information relating to an identified or identifiable natural person (‘data subject’); an identifiable natural person is one who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person;

Recital 26 also has interesting developments in regard to anonymisation of personal data : 
>The principles of data protection should apply to any information concerning an identified or identifiable natural person. Personal data which have undergone pseudonymisation, which could be attributed to a natural person by the use of additional information should be considered to be information on an identifiable natural person. To determine whether a natural person is identifiable, account should be taken of all the means reasonably likely to be used, such as singling out, either by the controller or by another person to identify the natural person directly or indirectly. To ascertain whether means are reasonably likely to be used to identify the natural person, account should be taken of all objective factors, such as the costs of and the amount of time required for identification, taking into consideration the available technology at the time of the processing and technological developments. The principles of data protection should therefore not apply to anonymous information, namely information which does not relate to an identified or identifiable natural person or to personal data rendered anonymous in such a manner that the data subject is not or no longer identifiable. This Regulation does not therefore concern the processing of such anonymous information, including for statistical or research purposes.

Recital 30 also has interesting developments : 
>Natural persons may be associated with online identifiers provided by their devices, applications, tools and protocols, such as internet protocol addresses, cookie identifiers or other identifiers such as radio frequency identification tags. This may leave traces which, in particular when combined with unique identifiers and other information received by the servers, may be used to create profiles of the natural persons and identify them.


## 4. So you are processing personal data, now what?

As we said, the main consequence of personal data processing is that GDPR will apply. This also means that each data processing will have to be integrated into a compliance process, as well as recorded into the records of processing activities as required by article 30.

[Legiscope helps controllers to automate these obligations](https://www.legiscope.com) and currently reduces the time needed to fill up the records of processings from multiple weeks of work to a few minutes for most standard processing activities. [Check us out!](https://www.legiscope.com)

The notion of personal data is one of the most important notions in GDPR compliance. Here's everything you need to know about it

What is personal data ?


Implementing Privacy by Design (PbD) is essential in today’s digital landscape, where data protection and privacy concerns are paramount. PbD is a proactive approach that integrates privacy principles into the core of an organization’s operations, systems, and culture from the very beginning of any project or process. By embedding privacy into the design phase, organizations ensure that data protection is not an afterthought but a fundamental component of their business practices. This approach not only safeguards personal information but also builds trust with customers and stakeholders, positioning the organization as a responsible data handler.

With the increasing complexity of global data protection regulations such as the [GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj), California’s CCPA, ISO 31700, and Brazil’s LGPD, implementing Privacy by Design has become a legal requirement as well as a strategic advantage. Compliance with these regulations is crucial for avoiding substantial fines and penalties, enhancing organizational reputation, and maintaining customer loyalty. This comprehensive guide explores the essential steps, principles, and best practices for effectively implementing Privacy by Design within your organization, ensuring robust data protection and regulatory compliance.

### Key Takeaways

- Implementing Privacy by Design embeds data protection into the foundation of system and process development.
- PbD ensures compliance with major data protection regulations like GDPR, CCPA, and LGPD, mitigating legal risks and penalties.
- Adopting PbD enhances organizational reputation and fosters customer trust by demonstrating a commitment to privacy.
- Proactive privacy measures reduce the likelihood of data breaches and the associated financial and reputational damages.
- Utilizing specialized tools like Legiscope streamlines the GDPR compliance process, saving organizations time and resources.

### Understanding Privacy by Design

Privacy by Design is a strategic framework aimed at integrating privacy into the very architecture of IT systems, network infrastructures, and business practices. Conceptualized by Dr. Ann Cavoukian, PbD is grounded in seven foundational principles that prioritize proactive and preventive measures over reactive solutions that address privacy issues only after breaches occur. This integration ensures that privacy is a core aspect of an organization’s operational blueprint rather than an ancillary feature.

Traditional privacy management approaches often address privacy concerns retrospectively, dealing with issues only after a data breach has occurred. In contrast, PbD mandates that privacy considerations be embedded into every stage of the project lifecycle, from initial design to deployment and beyond. This methodology ensures that privacy safeguards are inherently built into systems and processes, providing a robust foundation for long-term data protection and significantly reducing the risk of future vulnerabilities.

By prioritizing privacy from the outset, organizations can streamline their compliance efforts, enhance their overall security posture, and seamlessly integrate data protection into their business strategies. This proactive approach not only protects sensitive information but also fosters trust and confidence among clients, partners, and stakeholders by demonstrating a steadfast commitment to data privacy.

### The Seven Principles of Privacy by Design

The seven principles of Privacy by Design are the cornerstone of establishing effective privacy strategies within organizations. Each principle provides specific guidelines to ensure comprehensive data protection and user privacy, fostering an environment where privacy is consistently prioritized across all operations.

1. **Proactive not Reactive; Preventative not Remedial:** PbD emphasizes anticipating and preventing privacy risks before they materialize. Organizations are encouraged to implement measures that proactively minimize potential threats, thereby reducing the likelihood of data breaches and the need for costly remediation efforts post-incident.

2. **Privacy as the Default Setting:** Privacy should be embedded into system settings by default, ensuring that users are automatically provided with the highest level of privacy protection without requiring any manual adjustments. This principle minimizes data collection and restricts access to personal information unless explicitly permitted by the user.

3. **Privacy Embedded into Design:** Privacy considerations must be integrated into the core architecture of systems and business practices from the outset. This ensures that privacy is a fundamental aspect of the technology, enhancing overall data protection and preventing privacy from becoming an afterthought.

4. **Full Functionality – Positive-Sum, not Zero-Sum:** PbD promotes the idea that it is possible to achieve both high functionality and strong privacy protection without sacrificing one for the other. This positive-sum approach encourages innovative solutions that respect user privacy while maintaining system efficiency and effectiveness.

5. **End-to-End Security – Full Lifecycle Protection:** Comprehensive security measures should be implemented throughout the entire lifecycle of data processing, from collection and storage to transmission and deletion. This principle ensures that data remains protected at every stage, minimizing the risk of unauthorized access or breaches.

6. **Visibility and Transparency – Keep it Open:** Organizations must maintain transparency about their data handling practices, providing clear and accessible information to users about how their data is collected, used, and protected. This transparency fosters trust and allows users to make informed decisions about their personal information.

7. **Respect for User Privacy – Keep it User-Centric:** PbD emphasizes the importance of respecting user privacy by granting individuals control over their personal data. This involves offering user-friendly options for data access, correction, deletion, and providing mechanisms for users to exercise their privacy rights effectively.

By adhering to these seven principles, organizations can create a robust privacy framework that not only complies with regulatory requirements but also builds and maintains trust with their users and stakeholders.

### Step-by-Step Implementation Guide

Implementing Privacy by Design involves a structured and methodical approach that integrates privacy principles into every facet of your organization’s operations. Below are the essential steps to adopt PbD effectively, ensuring that privacy is maintained without compromising on functionality or innovation.

1. **Conduct a Privacy Impact Assessment (PIA):** Begin by conducting a [Privacy Impact Assessment (PIA)](https://eur-lex.europa.eu/eli/reg/2016/679/oj) or Data Protection Impact Assessment (DPIA). A PIA helps in identifying existing privacy practices and potential risks associated with data processing activities. It involves mapping out how personal data is collected, processed, stored, and shared, allowing you to assess the impact on individuals’ privacy rights and implement necessary safeguards.

2. **Select an Appropriate PbD Framework:** Choose a PbD framework that aligns with relevant regulations such as GDPR, CCPA, ISO 31700, or LGPD. Different frameworks cater to varying regulatory requirements, making it essential to select one that fits your organization's geographic and operational context. An appropriate framework provides a structured approach to embedding privacy into your systems and processes, ensuring comprehensive data protection.

3. **Integrate Privacy into Organizational Culture:** Embed privacy into your organizational culture by establishing robust data protection policies, conducting regular staff training, and defining clear privacy responsibilities across all departments. Developing a privacy-conscious environment ensures that every employee understands their role in maintaining data privacy and adheres to established protocols.

4. **Implement Technical Measures:** Deploy advanced technical solutions such as encryption, access controls, and data anonymization to safeguard personal data. These measures should be embedded into your systems from the outset, providing end-to-end security for data throughout its lifecycle. Implementing technical safeguards minimizes the risk of unauthorized access and data breaches, reinforcing your organization’s data protection capabilities.

5. **Establish Continuous Monitoring and Audits:** Regularly monitor your privacy practices and conduct audits to ensure ongoing compliance and the effectiveness of PbD measures. Continuous assessment helps in identifying and mitigating emerging privacy risks, keeping your data protection strategies up to date with evolving threats and regulatory changes. Implementing automated monitoring tools can enhance the efficiency and accuracy of these audits, allowing for real-time adjustments and improvements to your privacy framework.

6. **Leverage Specialized Tools and Platforms:** Utilize specialized tools and platforms that facilitate PbD implementation, such as [Legiscope](https://www.legiscope.com) for automating GDPR compliance processes, [OneTrust](https://www.onetrust.com), and [TrustArc](https://www.trustarc.com/). These tools offer features like Privacy Impact Assessments (PIA), consent management, data mapping, and automated compliance reporting, making it easier to embed privacy into your workflows and maintain consistent data protection standards.

7. **Foster a Privacy-First Culture:** Promote a culture that prioritizes privacy through leadership commitment, employee engagement, and continuous education. Encourage open communication about privacy practices and recognize employees who exemplify strong data protection behaviors. A robust privacy culture ensures that data protection remains a key focus across all levels of the organization.

8. **Enhance Documentation and Reporting:** Maintain comprehensive documentation of all privacy-related activities, decisions, and measures implemented. This documentation not only aids in compliance audits but also serves as a reference for continuous improvement. Transparent reporting mechanisms ensure that all stakeholders are informed about the organization’s privacy practices and any changes made to them.

### Regulatory Compliance and Privacy by Design

Privacy by Design not only enhances data protection but also ensures compliance with key data privacy regulations. Understanding how PbD aligns with laws like GDPR, CCPA, and LGPD is crucial for avoiding legal penalties and fostering trust with customers. Organizations that effectively implement PbD are better positioned to navigate the complexities of regulatory landscapes, ensuring that their data practices meet or exceed statutory requirements.

### GDPR (General Data Protection Regulation)

Article 25 of the GDPR specifically mandates data protection by design and by default. Organizations must implement appropriate technical and organizational measures to embed data protection into processing activities and business practices. This includes minimizing data collection, ensuring data is processed only for specified purposes, and implementing security measures like encryption and access controls.

Compliance with GDPR's PbD requirements not only helps in avoiding fines that can reach up to €20 million or 4% of the annual global turnover but also enhances the organization's reputation as a responsible data handler. For instance, failing to implement adequate PbD measures can result in significant penalties, emphasizing the need for proactive privacy strategies.

### CCPA (California Consumer Privacy Act)

The CCPA grants California residents enhanced rights regarding their personal data. Implementing PbD ensures that businesses collect and manage data in a way that respects these rights, such as providing transparency about data usage and offering consumers the ability to opt-out of data sales. Non-compliance can lead to substantial fines and damage to reputation.

### LGPD (Lei Geral de Proteção de Dados)

Brazil's LGPD mirrors many aspects of the GDPR, requiring organizations to adopt comprehensive data protection measures. PbD facilitates compliance by embedding privacy into business practices, ensuring that personal data is processed lawfully, transparently, and securely. Violations of LGPD can result in fines and restrictions on data processing activities.

### Tools and Resources for Privacy by Design

Implementing Privacy by Design is a complex task that can be streamlined with the right tools and resources. Leveraging specialized software and frameworks can facilitate the integration of privacy principles into your organizational processes, ensuring comprehensive data protection and regulatory compliance.

### Overcoming Common Challenges in Privacy by Design Implementation

While Privacy by Design offers substantial benefits, organizations often encounter obstacles during its implementation. Understanding these challenges and adopting effective strategies to overcome them is crucial for successful PbD integration.

### Best Practices and Future Trends in Privacy by Design

Implementing Privacy by Design effectively requires adherence to best practices and staying abreast of future trends. Here are some key recommendations and anticipated developments in the field of PbD:

### Best Practices for Privacy by Design

Adhering to best practices ensures the effective implementation of Privacy by Design within your organization. Here are some key practices to consider:

## FAQ

**Q: What is Privacy by Design?**

Privacy by Design is a framework that integrates data privacy into the design and architecture of IT systems, business practices, and physical infrastructures. It ensures that privacy considerations are embedded from the outset, rather than being an afterthought, thereby enhancing data protection and compliance.

**Q: How does Privacy by Design help with GDPR compliance?**

Privacy by Design aligns closely with GDPR requirements by promoting data minimization, user consent, and robust security measures. Implementing PbD helps organizations meet GDPR’s principles of data protection by design and by default, reducing the risk of non-compliance and associated fines.

For more details on GDPR compliance, refer to the official [GDPR text](https://eur-lex.europa.eu/eli/reg/2016/679/oj).

**Q: What are the key steps to implement Privacy by Design?**

Key steps include conducting a Privacy Impact Assessment (PIA), choosing an appropriate PbD framework, implementing organizational and technical measures, establishing continuous monitoring and audits, leveraging specialized tools, and fostering a culture of privacy within the organization. Each of these steps ensures that privacy is thoroughly integrated into all aspects of your operations.

**Q: What tools can assist in implementing Privacy by Design?**

Tools such as [Legiscope](https://www.legiscope.com), [OneTrust](https://www.onetrust.com), and [TrustArc](https://www.trustarc.com/) provide comprehensive solutions for managing Privacy by Design. These platforms offer features like Privacy Impact Assessments (PIA), consent management, data mapping, and automated compliance reporting, facilitating the seamless integration of privacy into your workflows.

**Q: What are some examples of sanctions related to Privacy by Design violations?**

One notable case is the €50 million fine imposed on Google by the French data protection authority (CNIL) for insufficient transparency and inadequate consent mechanisms, highlighting the need for clear privacy practices.

In 2020, British Airways was fined £20 million by the UK’s Information Commissioner’s Office (ICO) after a data breach exposed the personal data of over 400,000 customers, underscoring the importance of robust PbD measures.

Marriott International faced a £18.4 million fine by the ICO for a data breach affecting millions of customers, emphasizing the critical role of PbD in preventing unauthorized data access and ensuring compliance with data protection regulations.

## Conclusion

Implementing Privacy by Design is not merely a regulatory obligation but a strategic imperative in today’s digital ecosystem. By embedding privacy principles into the core of your organization’s operations, you enhance data protection, build customer trust, and ensure long-term compliance with evolving data protection laws. Embrace PbD to safeguard your organization’s data, empower your users, and maintain a competitive edge in a privacy-conscious market. Proactive integration of PbD not only mitigates risks but also positions your organization as a leader in responsible data management, fostering sustained growth and resilience in an increasingly data-centric world.



A comprehensive guide to implementing Privacy by Design, integrating privacy principles into your organization's operations for robust data protection and compliance.

Implementing Privacy by Design: Comprehensive Guide and Best Practices


One of the fundamental principles of data protection law, which has been further strengthened under the EU's General Data Protection Regulation (GDPR), is the requirement that personal data must be collected for specified, explicit and legitimate purposes and not further processed in a manner that is incompatible with those purposes. This principle, known as "purpose limitation," is enshrined in Article 5(1)(b) of the GDPR.

## I - Understanding the Purpose Limitation Principle

The purpose limitation principle is a cornerstone of the GDPR and serves to protect data subjects by ensuring that their personal data is only used in ways that they would reasonably expect and have been informed about. It consists of two key components:

1. **Data must be collected for specified, explicit and legitimate purposes:** This means that at the time of data collection, the controller must clearly and specifically define the purposes for which the data will be processed. These purposes must be legitimate, meaning they must be in accordance with the law and not violate the rights and freedoms of data subjects.

2. **Data must not be further processed in a manner that is incompatible with those purposes:** Once personal data has been collected for a specified purpose, it should not then be repurposed and processed in a way that is incompatible with the original purpose. If the controller wishes to process the data for a new purpose, they must either obtain fresh consent from the data subject or ensure that the new purpose is compatible with the original purpose.

## II - Specifying Purposes

When specifying the purposes of processing, controllers need to be clear, unambiguous, and specific. Vague or general descriptions such as "improving user experience," "marketing purposes," or "future research" will not suffice. Instead, purposes should be granular and clearly articulated, for example:

- "To process your order and arrange delivery of products"
- "To send you our monthly newsletter containing product updates and special offers"
- "To analyze website usage data to identify areas for improvement in site navigation and content"

Importantly, these specified purposes must then be communicated to data subjects in a clear and transparent way, typically through privacy notices or policies at the point of data collection.

## III - Compatible Purposes

The GDPR recognizes that it's not always possible or practical to obtain fresh consent from data subjects every time a controller wants to process their data for a new purpose. Therefore, the Regulation allows for further processing without new consent where the new purpose is deemed "compatible" with the original purpose.

To determine whether a new processing purpose is compatible with the original purpose, controllers should take into account factors such as:

- Any link between the original and new purposes
- The context in which the data was collected and the reasonable expectations of data subjects
- The nature of the personal data, particularly whether it involves special categories of data or criminal offense data
- The possible consequences of the new processing for data subjects
- The existence of appropriate safeguards, such as encryption or pseudonymization

Where a controller determines that a new processing purpose is compatible, they should still update their privacy notice to inform data subjects of this additional purpose.

## IV - Incompatible Purposes and Fresh Consent

If a controller wishes to process personal data for a purpose that is incompatible with the original purpose, they will generally need to obtain fresh consent from the data subject. This new consent must meet all the requirements of the GDPR, meaning it must be freely given, specific, informed and unambiguous.

There are some limited exceptions to this requirement for fresh consent, such as where the processing is necessary for compliance with a legal obligation, to protect the vital interests of the data subject, or for the performance of a task carried out in the public interest. However, these exceptions are narrowly defined and controllers should be cautious about relying on them without a clear justification.

## V - Enforcement and Penalties

Failure to comply with the purpose limitation principle can result in significant penalties under the GDPR. Supervisory authorities such as the UK's Information Commissioner's Office (ICO) have the power to issue fines of up to €20 million or 4% of a company's global annual turnover, whichever is higher, for infringements of this and other key principles of the Regulation.

In addition to financial penalties, non-compliance can also lead to reputational damage, loss of customer trust, and even legal action from affected data subjects. It's therefore crucial that controllers take their obligations around purpose specification and compatible processing seriously.

## Conclusion

The purpose limitation principle is a fundamental tenet of the GDPR that aims to give data subjects control over how their personal information is used. By requiring controllers to specify clear, legitimate purposes for processing and ensuring that any further processing is compatible with those original purposes, the Regulation seeks to promote transparency and prevent misuse of personal data.

To comply with this principle, controllers must carefully consider and clearly articulate the purposes for which they collect and process personal data, communicate these purposes to data subjects, and implement robust processes to assess the compatibility of any new processing purposes. By doing so, they can not only avoid costly penalties but also build trust with customers and uphold the fundamental rights and freedoms of individuals.

Article 5 of the GDPR lays out key principles related to the purposes for which personal data can be processed.

The Purposes of Processing under the GDPR


GDPR data storage compliance is essential for businesses committed to protecting personal information and maintaining customer trust. The [General Data Protection Regulation (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj) establishes strict protocols on how organizations should collect, store, and manage personal data. Adhering to GDPR data storage requirements not only helps avoid substantial fines but also reinforces your organization's reputation. Non-compliance can lead to severe legal repercussions and significant damage to your brand’s credibility.

This guide provides actionable insights and best practices to assist organizations in developing effective data retention policies. Whether you are a startup or a multinational corporation, you will find the necessary tools to ensure compliance and safeguard sensitive information. Implementing these strategies allows businesses to handle personal data responsibly, mitigate risks associated with data breaches, and adhere to regulatory standards. Prioritizing GDPR data storage compliance ensures legal adherence, enhances operational efficiency, and builds customer confidence.

### Key Takeaways

- GDPR mandates the secure storage of personal data and prohibits retention beyond necessary periods.
- Establishing a comprehensive data retention policy is crucial for maintaining compliance.
- Regular data audits and impact assessments are vital for ongoing GDPR adherence.
- Choosing GDPR-compliant data storage solutions mitigates risks and ensures data protection.
- Respecting data subject rights is fundamental for lawful data processing and storage.

### Understanding GDPR Data Storage Requirements

The GDPR outlines specific principles that govern the storage of personal data, ensuring organizations handle information responsibly and protect individual privacy rights. Key principles related to data storage include data minimization, storage limitation, integrity and confidentiality, and accountability. These principles form the foundation of GDPR compliance and must be diligently applied to all data storage practices.

Data minimization requires organizations to collect only the data essential for their defined purposes. By avoiding excessive data collection, businesses can reduce storage burdens and lower risks associated with retaining unnecessary information. This practice not only ensures compliance but also improves operational efficiency by focusing resources on critical data management tasks.

The storage limitation principle dictates that personal data must not be retained longer than necessary for the purposes for which it was collected. Organizations must establish clear retention periods based on the data's purpose and ensure timely deletion or anonymization once the data is no longer needed. Adhering to this principle helps prevent data accumulation, reduces storage costs, and aligns with GDPR mandates.

Integrity and confidentiality demand that organizations implement appropriate security measures to protect personal data from unauthorized access, disclosure, alteration, or destruction. This involves deploying advanced encryption techniques, establishing robust access controls, and conducting regular security assessments to ensure data remains secure and unaltered. Ensuring data integrity and confidentiality not only complies with GDPR but also safeguards against potential data breaches and cyber threats.

### Legal Obligations and Responsibilities

Compliance with GDPR data storage requirements is mandatory for organizations operating within the EU or handling data of EU citizens. Failure to adhere can lead to severe legal repercussions, including hefty fines and reputational damage. Understanding and implementing necessary measures to achieve compliance is essential for safeguarding your organization against potential legal challenges.

Data controllers determine the purposes and means of processing personal data, while data processors manage data on behalf of controllers. Both roles carry distinct responsibilities concerning data storage and protection to ensure GDPR compliance. Clearly defining these roles fosters accountability and facilitates effective data management across the organization.

Non-compliance with GDPR can incur substantial fines, reaching up to €20 million or 4% of an organization's global annual turnover, whichever is higher. Notable cases include the [British Airways GDPR Fine](https://eur-lex.europa.eu/eli/reg/2016/679/oj), the [Marriott GDPR Penalty](https://eur-lex.europa.eu/eli/reg/2016/679/oj), and the [H&M GDPR Violation](https://eur-lex.europa.eu/eli/reg/2016/679/oj). These instances highlight the financial and reputational consequences of failing to comply with GDPR data storage requirements.

### Best Practices for GDPR-Compliant Data Storage

Achieving GDPR data storage compliance requires implementing best practices that ensure data is managed securely and efficiently. The following strategies are essential for maintaining compliance and protecting personal data.

Implementing robust encryption is a foundational security measure. Encrypting personal data both at rest and in transit ensures that, even if data is intercepted or accessed without authorization, it remains unreadable and secure. Advanced encryption standards, such as AES-256, are recommended for formidable data protection, aligning with GDPR's stringent security requirements. Regularly updating encryption protocols and conducting encryption audits are critical for maintaining data security.

Restricting access to personal data solely to authorized personnel is imperative. Utilizing role-based access controls (RBAC), multi-factor authentication (MFA), and conducting regular access reviews can prevent unauthorized data access and bolster security. These measures ensure that only individuals who need access to data can obtain it, mitigating the risk of internal breaches and maintaining data integrity.

Conducting regular data audits helps organizations inventory stored data, assess its relevance, and verify compliance with retention schedules. Audits are pivotal in identifying and rectifying potential vulnerabilities in data storage practices. Establishing a routine audit schedule and utilizing automated audit tools can enhance the efficiency and accuracy of data audits.

### Implementing a GDPR Data Retention Policy

A meticulously defined data retention policy is vital for GDPR compliance. It outlines how long different types of personal data are stored and the methods employed for their secure disposal. Implementing an effective data retention policy involves several critical steps that ensure consistent and compliant data management practices across the organization.

Conducting a comprehensive data inventory is the initial step. Organizations should audit all personal data collected and stored, categorizing it based on type, source, purpose, and sensitivity. Understanding the data held is fundamental for determining appropriate retention periods and ensuring responsible data management.

Defining explicit retention periods for each data category based on legal requirements, business needs, and GDPR principles is essential. For instance, financial records might need to be retained for seven years to comply with tax laws, while marketing data may only be kept for a few years. Establishing specific timeframes aids in maintaining compliance and efficient data management.

### Technical Implementation of GDPR-Compliant Data Storage

Ensuring GDPR compliance in data storage requires the integration of robust technical solutions and security measures. The following technical implementations are crucial for maintaining compliance and safeguarding personal data.

Selecting appropriate data storage solutions is paramount. Opt for storage providers that offer built-in security features and compliance certifications. Cloud storage providers such as [AWS](https://aws.amazon.com), [Microsoft Azure](https://azure.microsoft.com), and [Google Cloud](https://cloud.google.com) offer GDPR-compliant services with extensive security controls. Evaluating providers based on their compliance capabilities ensures that data storage practices meet legal standards and organizational requirements.

Deploying advanced encryption techniques fortifies data security. Utilizing strong encryption protocols like AES-256 for data at rest and TLS for data in transit ensures that personal data remains protected against unauthorized access. Encryption acts as a critical barrier against data breaches, aligning with GDPR's stringent security standards.

Implementing these technical measures secures data and ensures that organizations can efficiently manage and access data in compliance with GDPR standards. Regularly updating security protocols, conducting vulnerability assessments, and utilizing automated security tools are vital for maintaining effective data protection strategies.

### Industry-Specific GDPR Data Storage Guidelines

Different industries have unique data storage needs and regulatory requirements. Tailoring GDPR data storage practices to align with specific industry standards is essential for compliance and effective data management. Below are guidelines tailored to various sectors to help organizations implement industry-specific GDPR data storage strategies.

In the healthcare sector, organizations handle highly sensitive personal data, including health records. GDPR mandates stringent data protection measures to ensure patient privacy. Key guidelines include encrypting patient data both at rest and in transit, implementing robust access controls to restrict data access to authorized personnel only, and conducting regular data protection impact assessments (DPIAs) to identify and mitigate risks.

Financial institutions manage vast amounts of personal and transactional data. GDPR compliance in the finance sector involves ensuring data integrity and accuracy through regular audits, implementing robust encryption and security measures to protect financial data, and establishing clear data retention policies that adhere to regulatory mandates, such as retaining financial records for a specified number of years.

E-commerce businesses collect substantial customer data to facilitate transactions and improve user experience. GDPR compliance in e-commerce entails secure data storage systems that protect customer information, transparent data processing policies, and mechanisms for customers to exercise their data rights, such as accessing, correcting, or deleting their data.

### Case Studies and Real-World Examples

Analyzing real-world examples offers valuable insights into effective GDPR data storage compliance. The following case studies highlight successful implementations and the lessons learned from these endeavors.

A leading healthcare provider adopted AES-256 encryption for all patient records, both at rest and in transit. By integrating encryption into their data storage systems, they ensured that sensitive health information remained secure and compliant with GDPR requirements. Additionally, they enforced stringent access controls, limiting data access exclusively to authorized medical staff.

A major financial institution overhauled its data retention policies to align with GDPR. They conducted a thorough data inventory, categorizing personal data based on type and purpose. By establishing clear retention periods and automating data deletion processes, they minimized the risk of retaining unnecessary data.

An e-commerce company streamlined its data collection practices by adopting a data minimization approach. They limited data collection to essential information required for transactions and customer service. Implementing clear and concise consent mechanisms ensured customers were informed and provided explicit consent for data processing.

## FAQ

**Q: What is GDPR data storage?**

GDPR data storage refers to the methods and practices organizations must follow to store personal data in compliance with the [General Data Protection Regulation (GDPR)](https://eur-lex.europa.eu/eli/reg/2016/679/oj). This includes ensuring data security, implementing appropriate retention policies, and maintaining data integrity.

**Q: How long can I store personal data under GDPR?**

Under GDPR, personal data should not be kept longer than necessary for the purposes for which it was collected. The retention period varies depending on the type of data and its intended use. Organizations must define and document retention periods based on legal, regulatory, and business requirements.

**Q: What are the penalties for non-compliance with GDPR data storage?**

Non-compliance with GDPR data storage can result in significant fines, up to €20 million or 4% of an organization's global annual turnover, whichever is higher. Additionally, organizations may face legal actions, reputational damage, and loss of customer trust.

**Q: What measures can I implement to secure stored data?**

To secure stored data, organizations should implement strong encryption, access controls, regular data audits, data anonymization techniques, and robust backup and recovery systems. Additionally, conducting regular security assessments and employee training can enhance data protection.

**Q: Do I need a Data Protection Officer (DPO) for data storage compliance?**

Whether you need a DPO depends on the nature and scale of your data processing activities. Organizations that conduct large-scale processing of sensitive data or systematically monitor individuals are required to appoint a DPO. The DPO oversees GDPR compliance, including data storage practices.

## Conclusion

Achieving GDPR data storage compliance is essential for protecting personal data, maintaining customer trust, and avoiding significant penalties. By understanding GDPR principles, implementing best practices, conducting regular audits, and utilizing the right technical solutions, organizations can effectively manage their data storage processes in accordance with GDPR requirements.



Ensure GDPR data storage compliance in 2024 with our comprehensive guide. Discover best practices, legal obligations, and strategies to protect personal data and maintain customer trust.

Comprehensive GDPR Data Storage Compliance Guide 2024






The landscape of data protection within the European Union has been significantly shaped by the General Data Protection Regulation (GDPR), which came into effect in May 2018. Central to the enforcement and harmonization of GDPR across member states is the European Data Protection Board (EDPB). As organizations navigate the complexities of data privacy, understanding the role and functions of the EDPB is paramount for ensuring compliance and fostering trust throughout the data processing chain.

The EDPB not only provides authoritative guidance but also plays a crucial role in adjudicating disputes and coordinating actions among national supervision authorities. This article delves into the structure, responsibilities, and impact of the EDPB, highlighting key cases and offering practical insights for organizations aiming to align their operations with GDPR requirements. Through a comprehensive examination of legal frameworks and real-world applications, we aim to elucidate the indispensable role of the EDPB in the European data protection ecosystem.

## I. Structure and Mandate of the EDPB

The European Data Protection Board was established under the GDPR to ensure consistent application of data protection laws across all EU member states. Comprising representatives from each national supervisory authority and the European Data Protection Supervisor (EDPS), the EDPB serves as a collaborative platform for fostering uniformity in data protection practices. Article 68 of the GDPR outlines the composition and governance of the EDPB, emphasizing the importance of representation from each member state to reflect the diverse legal landscapes within the EU.

Each member state nominates one representative to the EDPB, ensuring that the board embodies a broad spectrum of perspectives and experiences. Additionally, the EDPS has the right to appoint one representative to the Board, facilitating close cooperation between the EDPB and the EDPS. This structure not only promotes inclusivity but also ensures that the EDPB’s decisions are balanced and considerate of the varying national contexts within the EU.

The governance of the EDPB is designed to ensure transparency, accountability, and efficiency. The Board operates through plenary sessions, where representatives deliberate on key issues, adopt guidelines, and make binding decisions. Plenary meetings are typically held several times a year, providing a structured environment for comprehensive discussions on emerging data protection challenges and regulatory updates. Decision-making within the EDPB follows a consensus-based approach, fostering collaboration and mutual understanding among member states. In cases where consensus cannot be reached, a majority vote is employed to ensure timely resolutions. This balanced approach allows the EDPB to navigate complex legal and technical issues effectively, maintaining the momentum necessary for dynamic data protection landscapes.

The EDPB’s strategic objectives revolve around promoting uniformity, enhancing supervisory cooperation, and strengthening data protection across the EU. These objectives are operationalized through various initiatives, including the development of detailed guidelines, the facilitation of joint operations among supervisory authorities, and the provision of expert advice to legislative bodies. By prioritizing these strategic goals, the EDPB ensures that data protection remains a dynamic and responsive area of law, capable of addressing new challenges posed by technological advancements and evolving data processing practices.

## II. Enforcement and Compliance Role of the EDPB

The EDPB plays a pivotal role in guiding organizations toward GDPR compliance through the development of comprehensive guidelines and interpretative documents. These resources address various aspects of data protection, ranging from data subject rights to obligations of data controllers and processors. By clarifying ambiguities within the GDPR, the EDPB aids organizations in implementing effective data protection strategies, thereby reducing the risk of non-compliance. For instance, the EDPB’s [Guidelines on Consent under GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj) provide detailed criteria for obtaining valid consent, ensuring that organizations understand the importance of clear and affirmative actions from data subjects.

A significant aspect of the EDPB's mandate involves overseeing cross-border data transfers, a topic extensively covered in their [Guidelines on Cross-Border Data Transfers](https://eur-lex.europa.eu/eli/reg/2016/679/oj). The EDPB ensures that data transfers outside the EU adhere to the stringent standards set by the GDPR, safeguarding the privacy rights of individuals irrespective of geographical boundaries. This oversight is particularly important in an era where data flows seamlessly across borders, necessitating robust mechanisms to prevent unauthorized access and data breaches. The EDPB’s guidance on Standard Contractual Clauses (SCCs) and Binding Corporate Rules (BCRs) provides a framework for organizations to transfer data securely and legally, ensuring compliance with EU standards.

Furthermore, the EDPB is instrumental in handling complaints and adjudicating disputes related to GDPR violations. Their decisions in high-profile cases set precedents that influence data protection practices across the EU. For example, in the [Google Ireland Data Transfer case](https://eur-lex.europa.eu/eli/reg/2016/679/oj), the EDPB played a crucial role in assessing and sanctioning inadequate data transfer mechanisms, underscoring the necessity for compliant data transfer solutions. The EDPB’s adjudicative power ensures that penalties and sanctions are consistently applied, reinforcing the seriousness of data protection compliance. Organizations can refer to these decisions to better understand the implications of non-compliance and the importance of adhering to GDPR principles such as [purpose limitation](https://eur-lex.europa.eu/eli/reg/2016/679/oj) and [data minimization](https://eur-lex.europa.eu/eli/reg/2016/679/oj).

Significant cases handled by the EDPB, including those involving British Airways and Marriott International, exemplify the Board’s rigorous enforcement of GDPR standards. The substantial fines imposed in these cases serve as stark reminders of the repercussions of failing to implement adequate security measures and timely breach notifications. These instances provide operational lessons for organizations, emphasizing the need for continuous risk assessment, [privacy by design](https://eur-lex.europa.eu/eli/reg/2016/679/oj), and robust data protection frameworks to mitigate potential damages and maintain stakeholder trust.

## III. Impact on International Data Protection Standards

While the EDPB operates within the EU framework, its influence extends beyond European borders. As GDPR sets a global standard for data protection, organizations worldwide look to the EDPB’s guidelines and decisions as benchmarks for their own data protection practices. This global influence is evident in the adoption of similar data protection laws in countries such as Brazil, Japan, and South Korea, which have drawn inspiration from GDPR and, by extension, the EDPB’s interpretations. The EDPB contributes to the harmonization of global data protection practices by promoting principles that prioritize individual privacy and data security. Through its guidelines and advocacy, the EDPB encourages organizations globally to adopt robust data protection measures, fostering a unified approach to safeguarding personal data.

However, aligning with EDPB guidelines can present challenges for non-EU organizations. Variations in local data protection laws and differing interpretations of GDPR principles require organizations to navigate a complex regulatory landscape. The EDPB’s clear and comprehensive guidelines help mitigate some of these challenges by providing detailed frameworks that can be adapted to diverse legal contexts. Nonetheless, organizations must remain vigilant and proactive in ensuring that their data protection practices comply with both EU standards and local regulations. Engaging with resources such as [Legiscope](https://www.legiscope.com) can facilitate this process by automating compliance tasks and providing up-to-date information on legal requirements.

The EDPB’s role in international data protection cooperation is poised to grow, particularly as data flows continue to increase globally. Strengthening cooperation with international regulatory bodies and aligning data protection practices across regions will be essential for addressing cross-border data protection challenges. The EDPB may engage in more bilateral and multilateral agreements to facilitate cooperation and ensure that data protection standards remain high on a global scale. This international collaboration is crucial for maintaining the integrity and effectiveness of data protection measures in an interconnected world.

## IV. Practical Compliance Tips Inspired by the EDPB

Organizations aiming for GDPR compliance can draw valuable insights from the EDPB’s guidelines and decisions. A comprehensive data protection strategy should encompass several key elements to ensure adherence to GDPR principles. Understanding what data is collected, how it is processed, and where it is stored is foundational to GDPR compliance. Conducting regular data inventories helps organizations identify potential risks and ensure that data processing activities align with GDPR principles. Additionally, regularly conducting Data Protection Impact Assessments (DPIAs) to identify and mitigate risks associated with data processing activities is crucial. The EDPB’s Guidelines on DPIAs provide a structured approach for assessing risks and implementing appropriate safeguards.

Integrating data protection into the design of systems and processes ensures that privacy considerations are embedded from the outset. This proactive approach minimizes the potential for data breaches and enhances overall data security. Ensuring that employees are aware of GDPR requirements and understand their roles in maintaining data protection is essential. Regular training programs can help foster a culture of privacy within the organization. Utilizing compliance software platforms like [Legiscope](https://www.legiscope.com) can automate and streamline the compliance process, saving hundreds of hours and reducing operational burdens. By integrating such tools into their data protection strategies, companies can ensure adherence to legal requirements while maintaining operational efficiency and building trust with their stakeholders.

Proactive engagement with the EDPB and national supervisory authorities can further enhance compliance efforts. Organizations should consider seeking guidance or clarification on specific data protection issues, particularly when dealing with complex or cross-border data processing activities. Establishing open lines of communication can help organizations navigate challenges and ensure that their data protection practices remain aligned with regulatory expectations. Additionally, participating in industry forums and working groups facilitated by the EDPB provides valuable opportunities for organizations to share best practices and collaborate on common data protection challenges. This collaborative approach fosters a supportive environment for continuous improvement and innovation in data protection.

## Conclusion

The European Data Protection Board is a cornerstone of the GDPR framework, ensuring cohesive and effective data protection across the European Union. Through its comprehensive guidelines, enforcement actions, and coordination with national supervisory authorities, the EDPB facilitates a unified approach to data privacy, thereby enhancing compliance and fostering trust throughout the data processing chain. Organizations must recognize the significance of the EDPB’s role and actively engage with its resources and directives to navigate the intricate landscape of data protection.

To effectively implement GDPR compliance and leverage the expertise provided by the EDPB, organizations can benefit from tools like [Legiscope](https://www.legiscope.com), a GDPR compliance platform that automates and streamlines the compliance process, saving hundreds of hours and reducing operational burdens. By integrating such compliance software into their data protection strategies, companies can ensure adherence to legal requirements while maintaining operational efficiency and building trust with their stakeholders.

Moreover, staying informed about the EDPB’s latest guidelines and case rulings is essential for continuous compliance and risk management. Resources such as Legiscope’s blog provide valuable insights into various aspects of GDPR, including [data portability rights](https://www.legiscope.com/blog/data-portability-right.html), [the role of the Data Protection Officer](https://www.legiscope.com/blog/gdpr-dpo-designation.html), and [privacy by design](https://www.legiscope.com/blog/privacy-by-design.html), which can further aid organizations in refining their data protection practices. Embracing the guidance and regulatory direction offered by the EDPB will not only ensure compliance but also cultivate a culture of data privacy and security, thereby reinforcing the foundational goal of GDPR to build trust throughout the entire data processing chain.

By understanding and leveraging the role of the EDPB, organizations can navigate the complexities of data protection with greater confidence and efficacy, ultimately fostering a trustworthy and secure data environment. As data continues to be a vital asset in the digital age, the EDPB’s role in shaping and enforcing data protection standards will remain indispensable, ensuring that the rights and freedoms of individuals are upheld across the European Union and beyond.

An in-depth analysis of the European Data Protection Board's role in enforcing GDPR, including legal frameworks, case studies, and practical compliance tips.

The Role of the European Data Protection Board (EDPB)

Discover the principles, best practices, and compliance strategies of data minimization to protect privacy, reduce risks, and ensure adherence to regulations like GDPR.

Principles, Practices, and Compliance of Data Minimization

Discover whether an IP address is considered personal data under GDPR and CCPA. Learn about data privacy, compliance requirements, and best practices for handling IP addresses to protect individual privacy and ensure legal adherence.

Are IP Addresses Considered Personal Data? Comprehensive Guide on GDPR and CCPA


Cookie banners have become a pervasive feature of the modern web, frustrating users who seek a seamless browsing experience. In Europe, consent banners are mandated by an old directive from 2002, the [ePrivacy Directive 2002/58](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058), which requires websites to obtain informed consent before storing or accessing information on users' devices. While the intention behind these regulations is to enhance privacy protection, the actual impact on user privacy is insignificant, as most cookie banners are used to facilitate web analytics, understand user behavior, manage ad efficiency, or keyword traffic. Moreover, actively tracking a user beyond their visit to a website is difficult or borderline impossible for website owners, as it would require a court order.

Understanding the true cost of these consent prompts in the European economy is therefore necessary. Our calculations reveal that collectively, Europeans **spend over 575 million hours annually on consent prompts**. At a time when the European economy faces significant challenges in competitiveness compared to the US and China [as recently highlighted by President Macron](https://www.youtube.com/watch?v=Ias1Glgi5SE), it is crucial to examine the data and the legal framework that underpins these requirements.

## The Productivity Cost of Cookie Banners

To grasp the profound impact of cookie banners on European productivity and the economy, we need to break down the calculations. Starting with the total population of the European Union in 2024, which is approximately [449.2 million people](https://ec.europa.eu/eurostat/web/products-eurostat-news/w/ddn-20240711-1), we assume an [internet penetration rate of around 90%](https://ec.europa.eu/eurostat/statistics-explained/index.php?title=Digital_society_statistics_at_regional_level&oldid=630715#:~:text=In%202023%2C%20the%20share%20of,or%20in%20cities%20(94.9%25).), resulting in 404.28 million internet users.

On average, a user visits [about 100 websites per month](https://bloggingwizard.com/website-statistics/#:~:text=On%20average%20internet%20users%20in,pages%20on%20a%20daily%20basis.), totaling 1,200 websites per year. With about 85% of these websites displaying a cookie banner, a user will encounter about 1,020 cookie banners every year. Assuming it takes an average of 5 seconds per interaction with a cookie banner, this amounts to 5,100 seconds per year per user, or roughly 1.42 hours per year.

Multiplying this by the total number of internet users in the EU, we reach the following total time: 404.28 million users × 1.42 hours/year ≈ **575 million hours/year**.

Below is an estimated distribution based on population and internet usage rates:

| Country         | Population (millions) | Internet Users (millions) | Annual Hours Spent (millions) | Total Cost (€ Billion) |
|-----------------|-----------------------|----------------------------|-------------------------------|------------------------|
| Germany         | 84                    | 75.6                       | 107.35                        | 2.68                   |
| France          | 68                    | 61.2                       | 86.85                         | 2.17                   |
| Italy           | 59                    | 53.1                       | 75.37                         | 1.88                   |
| Spain           | 47                    | 42.3                       | 60.04                         | 1.50                   |
| Poland          | 38                    | 34.2                       | 48.57                         | 1.21                   |
| Netherlands     | 17                    | 15.3                       | 21.73                         | 0.54                   |
| Belgium         | 12                    | 10.8                       | 15.34                         | 0.38                   |
| Sweden          | 11                    | 9.9                        | 14.07                         | 0.35                   |
| Austria         | 9                     | 8.1                        | 11.50                         | 0.29                   |
| Other Countries | 104.2                 | 93.78                      | 134.18                        | 3.35                   |
| **Total**       | **449.2**             | **404.28**                 | **575.0**                     | **14.35**              |

*Note: "Other Countries" encompass the remaining European Union nations.*

To translate the lost time into economic terms, we can assign a monetary value to the hours spent on cookie banners. With an average hourly wage in Europe of €25, the total economic cost can be calculated as 575,000,000 hours × €25/hour = **€14.375 billion**. Considering the EU Annual GDP (2024) of approximately €15 trillion, the economic cost of cookie banners represents: (€14.375 billion ÷ €15 trillion) × 100 ≈ **0.10% of total EU GDP**.

To grasp the scale of the productivity loss, we can consider the number of full-time employees (FTEs) that represent the lost hours. Assuming a full-time worker dedicates approximately 2,000 hours annually, 575,000,000 hours ÷ 2,000 hours/FTE = **287,500 FTEs**. This means the **overall cost of clicking on cookie banners is equivalent to a company of 287,500 employees spending an 8-hour workday clicking on cookie banners**.

## Do Cookie Banners Really Improve Privacy?

Contrary to popular belief, cookie banners were not introduced by the GDPR but by the [ePrivacy Directive 2002/58](https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=celex%3A32002L0058), at a time when cookies were just becoming known to the public. In response to fears of global surveillance, regulators imposed a general principle of consent before any data could be stored on a user's communication devices:

> *"Art. 5.3: Member States shall ensure that the use of electronic communications networks to store information or to gain access to information stored in the terminal equipment of a subscriber or user is only allowed on condition that the subscriber or user concerned is provided with clear and comprehensive information in accordance with Directive 95/46/EC, inter alia about the purposes of the processing, and is offered the right to refuse such processing by the data controller."*

The ePrivacy Directive was intended to be updated, but the project never materialized.

Today, most cookie banners are used by organizations to:

- Facilitate web analytics and understand user interactions with their websites.
- Improve user experience by analyzing what content performs well or poorly.
- Manage the performance of advertisements.

For the most part, small businesses use cookies efficiently without precise user identification. Identifying users typically requires a court order to process IP addresses, which is rarely pursued. Therefore, cookie banners primarily serve to mitigate theoretical legal risks rather than enforce extensive user tracking.

It is not to say that some businesses do not use cookies to operate user tracking on a massive scale. Some companies relying exclusively on advertising do share user data with very large pools of partners—sometimes hundreds of ad partners. In that case, cookie banners do offer privacy protections for users.

However, looking at the general scale of the internet, only a very small fraction of websites use mass-scale partnerships as their main economic model.

For users, repeated interactions with cookie banners lead to significant frustration and complete loss of vigilance. The consent fatigue results in users mindlessly accepting terms without proper consideration, thereby undermining the very intent of the regulations. The constant barrage of consent prompts not only reduces productivity but diminishes user satisfaction and erodes trust in online platforms.

## Conclusion

The realization that **Europeans spend 575 million hours annually clicking on cookie banners** highlights a significant, yet often overlooked, economic and productivity drain. These processes deliver minimal privacy benefits and little enhancement to business performance.

In contrast, regulations like the [GDPR](https://eur-lex.europa.eu/eli/reg/2016/679/oj) impose IT security obligations that, while seen as burdensome, contribute to long-term business robustness by ensuring the security of IT systems.

This situation calls for an urgent revision of the ePrivacy Directive—potentially transforming it into a regulation to ensure swift adoption. Exemptions from cookie banners for small and medium-sized businesses (SMBs) using analytics, tracking user interactions on their websites, and managing basic advertising are imperative to mitigate unnecessary economic and productivity losses.


Analysis of the economic and productivity losses caused by cookie banners in Europe, including country-specific estimates and legal insights into the outdated EU Directive 2002/58.

Europeans Spend 575 Million Hours Clicking Cookie Banners Every Year


It's very important to understand the difference between a Data Protection Officer and all other titles such as Data Privacy Officer, compliance officer, GDPR compliance officer, and for one reason : **only the Data Protection Officer (DPO) is regulated by the GDPR**. In practical terms this means, the DPO has specific tasks he needs to conduct, specific position and specific protection in regard to his liability. 

And that's not the case with all the other titles.

In an organization, someone might be responsible for GDPR compliance without being a DPO, and provided the organization doesn't have to designate a DPO, that's perfectly fine. The Data Protection Officer, however, is appointed through a procedure outlined in the GDPR, which involves distinct responsibilities such as monitoring adherence to the regulation, providing advice on data protection impact assessments, and overseeing their execution.

So in order to determine if your organization needs to appoint a DPO, or if it would be beneficial, let's look at the cases where a DPO is mandatory.

## Is a GDPR DPO Mandatory?

Organizations are required to ensure compliance with the GDPR, and for sure, this necessitates having at least one person responsible for this task (a "lead" or "mission officer" for the GDPR). 

Yet, the appointment of a GDPR DPO is mandatory only in three scenarios (Art. 37):

- If the organization is a public authority or body;
- If the organization conducts large-scale, systematic monitoring of individuals;
- If the organization's core activities involve large-scale processing of sensitive GDPR data (Art. 9 and 10), such as health data.

Outside of these cases, appointing a DPO remains optional. 


## Is It Advisable to Appoint a DPO?

It is absolutely essential to have someone within the organization who is trained, and whose mission is to ensures the obligations imposed by the GDPR are being met. 

The DPO can partially play this role, or it can also be a person who has undergone GDPR training to ensure that the organization complies with data protection regulations.

In cases where the desgination of a DPO is mandatory the situation is simple : the organization will have to appoint a DPO. However do not expect the DPO to handle the GDPR compliance of the organization, that's not his role at all! Yes, this adds to the confusion of the reality of the role of the DPO, but there's a fundamental segmentation of responsibilities : the DPO is not the controller, and he is independant from him. Therefore it's not his role to ensure the compliance of the organization, that's the controller role! Do not confuse that. Let's look at article 38.7:

> Art. 38.3 The controller and processor shall ensure that the data protection officer does not receive any instructions regarding the exercise of those tasks. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. 

The role of the controller is defined in article 4 : 

> ‘controller’ means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data

Therefore, the controller has to handle its own GDPR compliance, independently from the DPO, as he will be the one liable for it. 

An easy way to understand the position of the DPO is to see him as an employee of the national control authority, but paid by the controller. The DPO is independent from the controller, gives feedback about the level of compliance, does not organizes the overall GDPR compliance of the organization, but helps reviewing the work and provides independant opinion in that regard. 

Beyond the 3 cases where the organization has to appoint a DPO, it's designation through the procedure outlined in the GDPR is to the choice of the controller. Can it be beneficial ? Sure. In particular in very large organizations (fortune 500, CAC40...) where a legal team is in charge of compliance, and the DPO will offer indenpendant assessement of the work and quality control.

## Two important requirements for the DPO

If the organization decides to appoint a DPO, two important requirements will need to be met (Art. 37.5), specifically: 

- Knowledge of data protection law and practices
- Ability to fulfill their responsibilities

Fortunately [a full DPO training is already included in Legiscope](https://www.legiscope.com) so there are no additional costs for organizations that choose our software ; our training has been delivered to a significant number of DPO of CAC40 companies and is very highly rated. 

## How is the GDPR DPO Appointed?

If an organization wishes to appoint a DPO in accordance with GDPR requirements, it must designate this individual directly to the national supervisory authority - in France, for example, [the CNIL](https://www.cnil.fr), who has an online procedure.

Alternatively, if an organization simply wants someone to handle these matters without formal DPO designation, no procedure is required beyond ensuring that their responsibilities are included in the job description of the employee or in the service contract with the chosen provider.

## Can the DPO be an External Party, or Must They Be Internal?

The DPO can be either an internal employee or an external service provider. Article 37.6 of the GDPR specifically allows for this:

> 6. The data protection officer may be a staff member of the data controller or processor, or fulfill their tasks on the basis of a service contract.





Explore the unique role of a GDPR-regulated Data Protection Officer (DPO) and how it differs from titles like Data Privacy Officer. Learn about the DPO's exclusive responsibilities, appointment process, and their pivotal role in ensuring GDPR compliance.

DPO or compliance officer ?

Beware not to confuse the DPO the **"Data Protection Officer"** (GDPR) and the **"Data Privacy Officer"** (not a GDPR concept)! And the reason is that the GDPR has a very specific view of the DPO : **the data Protection officier is NOT in charge of ensuring compliance with the GDPR**. That's the role of the Controller, not the DPO! Let's clarify this important distinction, often misunderstood by businesses who designate a DPO and discover after that the need additionnal staff to ensure compliance.

## I. - The DPO is not responsible for compliance

Within the GDPR, the Data Protection Officer has a very specific function, which is to **act independently from the Controller and ensure the GDPR is correctly implemented**. The DPO belongs in a way to the control departement. He's here to ensure the work is done properly, he's not here to do the work in the first place. A simple way to view the DPO is to see him as an employee of a data protection authority, but paid by the Controller of course. 

**Why the DPO is fundamentaly independant**

To understand why the DPO was created, we have to come back to the EU directive 95/46 (the directive that basically created data protection rules in Europe in 1995, before the GDPR was adopted as a regulation). This directive set the following structure : 

- before carrying out any data processing operation an organization had to inform the supervisory authority 
- with two exceptions to that rule : 
 - for certain types of processing activities that were unlikely to "affect adversely the rights and freedoms of data subjects" (no risks), no information was needed ;
 - or, in the case where the Controller had a "Data Protection Official" (at the time), who *ensured independently* the compliance of the processing activities to the law, no formality was needed either.

And this is a very important paradigm because the role of the DPO in the GDPR, inherits from this. Structurally, his duties are to ensure *independently* that the regulation is applied in the organization, and causes no substantial risks to data subjects. The DPO is here to review the work, not to do the work in the first place! 

This structure was established at a time when mostly big businesses were conducting data processing activities (in 1995...): banks, insurances, hospitals, etc. And the legislator assumed these businesses had :
- an IT team to handle the processing activities
- a legal teams to handle the compliance 
- and therefore could easily appoint an independent official within the structure that could verify independently that everything was done according to the legislative plan

There are a lot of consequences of this position : 
1. The DPO is always independent from the Controller: he can not be sanctionned by the Controller for doing his work. He can not receive instructions from the Controller either. The DPO has to be properly informed of all processing operations (as well as have all qualifications necessary to handle compliance work). 
2. The DPO can not be liable for the Controller's non-compliances: it is the Controller who assumes the compliance and all legal risks of his operations. The DPO is there only to verify that the work is done properly and offer a review of where the Controller is in terms of data privacy.


## II. When do organizations really need a DPO?

There are 3 cases in which the appointment of a DPO is mandatory:

1. when the controller is a public authority or a public body, with the exception of courts acting in the exercise of their judicial function
2. when the organization's core activities require regular and systematic tracking of people on a large scale
3. when the activities of the organization consist of large-scale processing of health data, for example (more generally Article 9 or 10 data)

**In all other cases, the appointment of a DPO is optional**. However, it's practically always necessary to have a person in charge of the compliance inside the organization.


### A. - Who can be apointed as DPO?

Anyone who at least has taken a [two days training on GDPR compliance](https://www.legiscope.com). The training of the DPO is an obligation to be able to perform these functions.

### B. - The Tasks of the DPO

The data protection officer shall have at least the following tasks:
1. *Inform and advise* the controller or processor and the employees who carry out the processing on their obligations under this Regulation and other provisions of Union or national law. Member States on data protection;
2. *Monitoring compliance with the GDPR, including with regard to the distribution of responsibilities, awareness and training of staff involved in processing operations, and audits
3. *Provide advice* on data protection impact assessment and verify its execution under Article 35
4. *Cooperate with the supervisory authority*
5. *Act as a contact point* for the supervisory authority on matters relating to the processing, including the prior consultation referred to in Article 36, and carry out consultations, where appropriate, on any other matter.

In general, the DPO also assists in the creation and updating of the register of processing activities.The DPO has to perform his tasks with due regard to the risk associated with processing operations.

### C. - Position of the DPO

The Controller has a certain number of duties regarding the DPO, he has to :

- ensure the DPO is involved in all issues which relate to the protection of personal data ;
- support the DPO in performing his tasks, by providing all necessary resources to carry out his mission as well as all access to personal data and processing operations, and tools to maintain his or her expert knowledge.

The DPO *does not receive any instructions regarding the exercise of those tasks*. He or she shall not be dismissed or penalized by the controller or the processor for performing his tasks. The data protection officer shall directly report to the highest management level of the controller or the processor.

Data subjects may contact the data protection officer about all issues related to the processing of their data and to the exercise of their rights under this Regulation.

The DPO is bound by secrecy or confidentiality concerning the performance of his or her tasks. He may fulfill other tasks and duties however, the controller has to ensure that any such tasks and duties do not result in a conflict of interests.

The DPO - the Data Protection Officer, is the person in charge of GDPR compliance management. Details on his functions and missions

Role and missions of the Data Privacy Officer (GDPR)

Discover essential data privacy principles to protect personal information and ensure GDPR compliance. Learn best practices and strategies for effective data governance.

Data Privacy Principles: Comprehensive Guide

An in-depth analysis of the purpose limitation principle under GDPR, including legal foundations, case law, and practical implementation strategies.

What is the Principle of Purpose Limitation?


GDPR information notices are among the mandatory mentions that are important to comply with. Indeed, they will demonstrate whether an organization is in compliance or not with the European regulation.

We will see the list of information to be provided before looking at a practical example.

## I - The List of Information to Provide to be Compliant with the GDPR

The information to be provided to individuals whose personal data is being collected are as follows:

- The identity and contact details of the data controller and, where applicable, the data controller's representative.
- Where applicable, the contact details of the data protection officer;
- The purposes of the processing for which the personal data are intended as well as the legal basis for the processing;
- Where the processing is based on Article 6(1)(f), the legitimate interests pursued by the data controller or by a third party;
- The recipients or categories of recipients of the personal data, if any;
- Where applicable, the fact that the data controller intends to transfer personal data to a third country or international organization, and the existence or absence of an adequacy decision by the Commission, or, in the case of transfers referred to in Article 46 or 47, or Article 49(1) second paragraph, the reference to the appropriate or suitable safeguards and the means to obtain a copy of them or where they have been made available.

Additionally, the following supplementary information:

- The duration for which the personal data will be stored, or if that is not possible, the criteria used to determine that duration;
- The existence of the right to request from the data controller access to and rectification or erasure of personal data or restriction of processing concerning the data subject, or to object to processing as well as the right to data portability;
- Where processing is based on Article 6(1)(a) or Article 9(2)(a), the existence of the right to withdraw consent at any time, without affecting the lawfulness of processing based on consent before its withdrawal;
- The right to lodge a complaint with a supervisory authority;
- Information as to whether the provision of personal data is a statutory or contractual requirement, or a requirement necessary to enter into a contract, whether the data subject is obliged to provide the personal data, and the possible consequences of failure to provide such data;
- The existence of automated decision-making, including profiling, referred to in Article 22(1) and (4) and, at least in those cases, meaningful information about the logic involved, as well as the significance and the envisaged consequences of such processing for the data subject.

Note that the data controller is not required to provide these information if a person has already been informed once.

## II - A Practical Example of GDPR Notices

Here is a practical example of an information notice:

> Registration allows you to download the guide and receive communications on GDPR compliance as well as our product and service offers; the legal basis is Article 6.1.a of the European regulation on the protection of personal data (consent); the recipients of data are the data controller, its internal services in charge of the mailing list management, the subcontractor operating the web server management (Dupond Durand), as well as any legally authorized person to access the data (judicial services, if applicable). The duration of data processing is limited to the time you are registered for our communication services, it being understood that you can withdraw your consent and unsubscribe at any time by clicking on the unsubscribe link at the bottom of each email. The server on which the mailing list is hosted is hosted by Durand Durand, which implies that your data may be transferred outside the EU under Article 46.2.d of the GDPR – Durand Durand having provided the adequate protection clauses on the model established and approved by the European Commission. You can find more information about these clauses here: https://durand.durand. You have the right to request the data controller access to personal data, rectification or erasure of such data, or a limitation of the processing concerning the data subject, or the right to object to the processing and the right to data portability. The data controller is SARL Dupont Dupont. You also have the right to lodge a complaint with a supervisory authority. Providing your email is necessary to receive the aforementioned communications and is entirely optional.





Here is the list of GDPR information notices that you must mandatorily provide before collecting personal data

GDPR Information notices, a few things you need to know

The GDPR introduced an interesting new concept to ensure the protection of personal data : the notion of *"privacy by design"*. In fact, to be completely exact, the GDPR distinguishes two ideas : the idea of ​*privacy by design* and the idea of *​privacy by default*. These concepts originally came from the Commissioner of the Canadian Agency for the protection of personal data (Dr. Anne Cavoukian) who developed a series of principles in 2010 to take privacy into account straight from the design of processing systems.

The GDPR welcomed this idea but from a rather specific angle. Therefore it's necessary to understand these concepts(1) before clearly looking at their impmentation in the GDPR that really differs (2). Finally we will look implementation in practice (3).

## I. - What is privacy by default and privacy by design ?

The principle is quite simple : privacy by design is the idea that the **protection of privacy must be taken into account at the very moment of designing an IT system**. For Apple for example, it's the idea that the company need to propose an option to encrypt hard drives to it's users. So, in the event of loss or theft, encryption will keep personal data confidential.

This concept differs from privacy by default, which is the idea that - when protection measures are set, they must be activated by default. In the case of Apple, it means that in the settings, the checkbox "encrypt the data on my hard drive" should be checked by default - as soon as the laptop is delivered to the user, in order to avoid any additional effort which might not systematically be carried out.

**The details of the Canadian proposal and the 7 principles**

Let's take a look at the [Canadian proposal](https://www.ipc.on.ca/wp-content/uploads/resources/7foundationalprinciples.pdf) of 2010 and the principles of data protection by design and default originally set : 

1. "Proactive not reactive—preventative not remedial. Anticipate, identify, and prevent invasive events before they happen; this means taking action before the fact, not afterward."
2. "Lead with privacy as the default setting - Ensure personal data is automatically protected in all IT systems or business practices, with no added action required by any individual."
3. "Embed privacy into design - Privacy measures should not be add-ons, but fully integrated components of the system."
4. "Retain full functionality (positive-sum, not zero-sum) - Privacy by Design employs a “win-win” approach to all legitimate system design goals; that is, both privacy and security are important, and no unnecessary trade- offs need to be made to achieve both."
5. "Ensure end-to-end security - Data lifecycle security means all data should be securely retained as needed and destroyed when no longer needed."
6. "Maintain visibility and transparency—keep it open - Ensure stakeholders that business practices and technologies are operating according to objectives and subject to independent verification."
7. "Respect user privacy—keep it user-centric - Keep things user-centric; individual privacy interests must be supported by strong privacy defaults, appropriate notice, and user-friendly options."

In summary, here are the rules to take into account when designing an information system :

1. Anticipate privacy risks 
2. Enable all privacy-protecting options by default
3. Plan for privacy as a central function 
4. Do not limit system functionality in return for privacy protection
5. Ensure end-to-end IT security
6. Maintain the transparency of the processing carried out by the IS
7. Respect the privacy of users and provide this as an additional benefit offered to users

However the GDPR took a completly different direction for implementation of these ideas.

### II. - What are the obligations imposed by Privacy By Design in the GDPR?

Unfortunately, as good as these ideas were, the GDPR took a completly different direction for their implementation - despite the title of art. 25 was kept the same: *Data protection by design and by default*. 

Let's look at the detail of article 25 :

> 1.Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, *the controller shall*, both at the time of the determination of the means for processing and at the time of the processing itself, *implement appropriate technical and organisational measures*, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing *in order to meet the requirements of this Regulation* and protect the rights of data subjects. 
> 2.The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual's intervention to an indefinite number of natural persons.

Upon reading article 25.1, we can legitimately wonder what it really brings in terms of legal obligations :

- if we summarize main obligation laid down by art. 25.1 we can establish that _“the controller implements (…) measures (…) in order to meet the requirements of this regulation”_. To sum up: the law requires the data controller to comply with the law. It doesn't add very much.
- Article 25.2 does not really do any better, as it indicates that the data controller ensures to collect the minimum amount of personal data. This might seem like a new rule of law, but it's not. It's a reminder of the principles set by article 5.1, which already imposes the controller to collect the minimum amount of data.

It is common, when faced with such a problem, to analyze the recitals of the text in order to determine what the intention of the legislator was. Recital 78 of the GDPR adds a bit more details to the article 25 :

> The protection of the rights and freedoms of natural persons with regard to the processing of personal data require that appropriate technical and organisational measures be taken to ensure that the requirements of this Regulation are met. In order to be able to demonstrate compliance with this Regulation, the controller should adopt internal policies and implement measures which meet in particular the principles of data protection by design and data protection by default. Such measures could consist, inter alia, of minimising the processing of personal data, pseudonymising personal data as soon as possible, transparency with regard to the functions and processing of personal data, enabling the data subject to monitor the data processing, enabling the controller to create and improve security features. When developing, designing, selecting and using applications, services and products that are based on the processing of personal data or process personal data to fulfil their task, producers of the products, services and applications should be encouraged to take into account the right to data protection when developing and designing such products, services and applications and, with due regard to the state of the art, to make sure that controllers and processors are able to fulfil their data protection obligations. The principles of data protection by design and by default should also be taken into consideration in the context of public tenders.

These provisions in mind, it is now difficult to find real new obligations that don't already exist within the GDPR : 
- principle of minimization (already set by art. 5) 
- principle of minimization over time (again set by art. 5)
- principle of data security (set by art. 5 and mostly art. 32)
- respect for the rights of individuals (art. 12 et seq.) etc.

The conclusion we could reach here is that we are confronted with a legislative bug, as article 25 just imposes obligations that were already set by other provisions. We could argue that these obligations make a specific distinction about the moment of implementation (when the IT systems are desgined). But the scope of the general obligations already apply to that : *Ubi lex non distinguit, nec nos distinguere debemus*

In realty, there's a specific category of persons that should have been targetted by the principles Privacy By Design: software editors. This is an real missing actor in the GDPR as if they do not process personal data, they have no obligation whatsoever in regard to the design of their systems. In reality, that's what the GDPR tried to aim at. GDPR targets Controllers, Processors, joint controllers, but never specifically software editors, or producers of IT equipements and it's a missing category, to which the principles set out in Article 25 should really be applied to. GDPR choose not to target these intermediaries who provide the tools to operate the data processing. As a result, the obligations set by article 25 are a bit of a miss. It is likely that the next revision of the regulations - probably around 2035-2040 - will address that issue.

In the meantime, we must do our best to try to give meaning to the intention of the legislator.

### III. - Operational actions that can be taken to implement privacy by default and privacy by design

Fortunately, even if the article 25 lacks structure, it's possible to build a clear step by step processes to implement the principles of privacy by design : 

For example let's take the one requirement : transparency. This can be translated into a operational process:

- Clarity – Information delivered to the user shall be in clear and plain language, concise and intelligible 
- Semantics – Communication should have a clear meaning to the audience in question (ex : children)
- Accessibility - Information shall be easily accessible for the data subject (materially, user should not have to do efforts to access the inforamtion about the processing activity)
- Contextual – Information should be provided at the relevant time and in the appropriate form
- Relevance – Information should be relevant and applicable to the specific data subject
- Universal design – Information shall be accessible to all data subjects, include use of machine readable languages to facilitate and automate readability and clarity
- Comprehensible – Data subjects should have a fair understanding of what they can expect with regards to the processing of their personal data, particularly when the data subjects are children or other vulnerable groups
- Multi-channel – Information should be provided in different channels and media, not only the textual, to increase the probability for the information to effectively reach the data subject
- Layered – The information should be layered in a manner that resolves the tension between completeness and understanding, while accounting for data subjects’ reasonable expectations.

Controllers should then do the work of translating each requirement into operational tools, or [use our pre-built templates inside Legiscope](https://www.legiscope.com)

The GDPR introduced a new concept of privacy by design that must be implemented in all IT projects, here's the details about the legal obligation and how to implement

GDPR and AML, what can go wrong ?

Témoignages

Articles connexes