On 13 November 2019, the European Data Protection Board (EDPB) adopted the guidelines on Data Protection by Design and Default (DPbDD) for public consultation (link here) until 16 January 2020, providing an in-depth analysis of the components that make up DPbDD under GDPR article 25. We highlight below some of the key definitions.


DPbDD refers to the effective implementation of data protection principles and data subjects’ rights and freedoms by Design and by Default. Controllers must be able to demonstrate that they have in place appropriate technical and organizational measures and safeguards in an effective manner. Incorporating such measures from the start of the project planning or product design, and embedding considerations of data protection through the launch phase is more effective and pro-active than a retrospective approach. This means that data protection practices and considerations must be ‘baked in’ to business practices and processing activities from the start. Although DPbDD primarily concerns controllers, processors and other parties are advised to take note as they work with controllers to fulfil the latter’s obligations under GDPR article 25.Continue Reading The EDPB on ‘Data Protection by Design and by Default’

The UK’s Information Commissioner (ICO) has published draft GDPR guidance on contracts and liabilities between controllers and processors. The draft guidance is currently open for consultation, with responses due by 10 October 2017.

The purpose of the guidance is to help organisations understand what needs to be included in written contracts between controllers and processors under the General Data Protection Regulation (GDPR). It also looks at the responsibilities and liabilities of controllers and processors.

Written contracts

Under the GDPR, a written contract must be in place when a controller uses a processor to process personal data. This is not a new concept, as data processing agreements are already used to satisfy the security requirements under the Data Protection Directive (95/46/EC). The GDPR, however, is wider in scope and now sets out specific terms that must be included in such contracts; for example, the subject matter and duration of the processing, the nature and purpose of the processing, the type of personal data to be processed, the categories of data subjects, and the obligations and rights of the controller. See Article 28.3 of the GDPR and page 12 of the draft guidance for further details.

The GDPR also allows for the use of standard contractual clauses issued by the European Commission or supervisory authority (such as the ICO), and approved codes of conduct or certification schemes which processors can sign up to; however, these are not available yet.
Continue Reading ICO publishes draft guidance on contracts and liabilities under the GDPR