The Spanish data protection agency (AEPD) has published the Guide to the protection of data by Default (PDpD), which offers a practical vision to help implement this principle to the treatment of data along the lines set out in regulation General data protection (RGPD) and in the guidelines adopted by the european committee for the protection of Data.
The recipients of this document are responsible for treatment and delegates of data protection, in addition to those units or departments within the responsible entity are responsible for the design, selection, development, deployment, and exploitation of applications and services. It was also advised its consultation to suppliers, developers, or the extent that provide products and services to responsible and seek to comply with the requirements of the PDpD laid down in regulation.
The concept of privacy by default refers to only be the object of processing personal data that are strictly necessary and sufficient to each of the purposes of treatment. Therefore, irrespective of the body of data gathered by the responsible, It must segmenting the use of the set of data between the different treatments and between different phases of treatment, so that not all operations carried out within the framework of a treatment are implemented on all data, but to act only on those who may be required and at the time strictly necessary.
The RGPD requires responsible of a default configuration of the treatments that are respectful of data protection principles, advocating a minimally intrusive processing (minimal amount of personal data, minimal volume of treatment, minimum term minimum maintenance and accessibility to personal data). All this without the intervention of the person whose data are treated to ensure these minimal.
The Guide discusses the measures to continue to implement the protection of data by default. As stated in the European Committee for the protection of Data Guidelines on article 25 in relation to the protection of data from the design and by default the implementation of those measures focuses optimization strategies configurability, and restriction.
The objective of optimization is to analyse the treatment in terms of data protection, which is to implement measures in relation to the number of data collected, the length of treatment, their preservation and accessibility. The second strategy is the configuration of services, systems or applications, which should permit the establishment of parameters or options to determine the form in which they were going to carry out the treatment, and that they could be modified by the responsible and even by the user. For its part, the restriction ensures that, by default, the treatment is the most respectful with privacy, so that the configuration options are brought into line by default, those values that limit the amount of data collected, the length of treatment, their preservation and accessibility.
Has also been included a separate editable with actions to implement the data protection strategy by default. In particular, it is action on the amount of personal data collected; the length of treatment; the preservation or accessibility of data. This paragraph is also included in a separate table for the guide so that it can be used by those responsible. In Addition, the guide is a chapter to the documentation and auditing standards necessary to prove compliance with the rule. As establishes the principle of responsibility proactive, the responsible shall implement the measures necessary to ensure and to the treatment of data meets the RGPD.