How to Demonstrate Compliance With GDPR Article 25

Data Protection by Design and by Default

Book a demo

young,female,entrepreneur,freelancer,working,using,a,laptop,in,coworking

GDPR Article 25 deals with data protection by design and by default.

This concept ensures that the data controller considers a data subject’s privacy at every stage of their operation, and designs data processing operations that put GDPR at the heart of a set of objectives.

In order to achieve this, organisations must first define a distinct set of privacy objectives, before undertaking the engineering and subsequent implementation of a data processing operation (or, by proxy, a product).

GDPR Article 25 Legal Text

EU GDPR Version

Data protection by design and by default

  1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
  3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

UK GDPR Version

Data protection by design and by default

  1. Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.
  2. The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.
  3. An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

If you don’t use ISMS.online, you’re making your life more difficult than it needs to be!
Mark Wightman
Chief Technical Officer Aluma
100% of our users pass certification first time
Book your demo

Technical Commentary

When an organisation sets out to craft a data processing operation that adheres to data protection ‘by design’ and ‘by default’, there are several major factors to take into account:

  • Technological developments.
  • Implementation cost.
  • The nature of the operation (context and purpose).
  • Risks and the freedoms of the individual.
  • Scope (i.e. where data is to be collected).
  • Data minimisation.
  • The concept of ‘appropriate’ measures.

ISO 27701 Clause 5.2.1 (Understanding the Organisation and Its Context) and EU GDPR Article 25 (3)

Organisations need to undergo a mapping exercise that lists both internal and external factors relating to the implementation of a PIMS.

The organisation needs to be able to understand how it’s going to achieve its privacy protection outcomes, and any issues that stand in the way of safeguarding PII should be identified and addressed.

Before attempting to address privacy protection and implement a PII, organisations need to first gain an understanding of their obligations as a singular or joint PII controller and/or processor.

This includes:

  • Reviewing any prevailing privacy laws, regulations or ‘judicial decisions’.
  • Taking into account the organisation’s unique set of requirements relating to the kind of products and service they sell, and company-specific governance documents, policies and procedures.
  • Any administrative factors, including the day-to-day running of the company.
  • Third party agreements or service contracts that have the potential to impact upon PII and privacy protection.

ISO 27701 Clause 6.10.2.4 (Confidentiality or Nondisclosure Agreements) and EU GDPR Article 25 (1)(f)

Organisations should utilise non-disclosure agreements (NDAs) and confidentiality agreements to protect the wilful or accidental divulgence of sensitive information to unauthorised personnel.

When drafting, implementing and maintaining such agreements, organisations should:

  • Offer a definition for the information that is to be protected.
  • Clearly outline the expected duration of the agreement.
  • Clearly state any required actions, once an agreement has been terminated.
  • Any responsibilities that are agreed by confirmed signatories.
  • Ownership of information (including IP and trade secrets).
  • How signatories are allowed to use the information.
  • Clearly outline the organisation’s right to monitor confidential information.
  • Any repercussions that will arise from non-compliance.
  • Regularly reviews their confidentiality needs, and adjust any future agreements accordingly.

Confidentiality laws vary from jurisdiction to jurisdiction, and organisations should consider their own legal and regulatory obligations when drafting NDAs and confidentiality agreements (see ISO 27002 Controls 5.31, 5.32, 5.33 and 5.34).

Supporting ISO 27002 Controls

  • ISO 27002 5.31
  • ISO 27002 5.32
  • ISO 27002 5.33
  • ISO 27002 5.34

ISO 27701 Clause 6.11.2.1 (Secure Development Policy) and EU GDPR Article 25 (1)

Organisations need to ensure that the development lifecycle is created with privacy protection in mind.

To achieve this, organisations should:

  1. Operate with separate development, testing and development environments (see ISO 27002 Control 8.31).
  2. Publish guidance on privacy protection throughout the development lifecycle, including methodologies, coding guidelines and programming languages (see ISO 27002 Controls 8.28, 8.27 and 5.8).
  3. Outline security requirements in the specification and design phase (see ISO 27002 Control 5.8).
  4. Implement security checkpoints in all relevant projects (see ISO 27002 Control 5.8).
  5. Undertake system and security testing, including code scans and penetration tests (see ISO 27002 Control 5.8).
  6. Offer secure repositories for all source code (see ISO 27002 Controls 8.4 and 8.9).
  7. Exercise stringent version control procedures (see ISO 27002 Control 8.32).
  8. Offer staff privacy protection and application security training (see ISO 27002 Control 8.28).
  9. Analyse a developers ability to locate, mitigate and eradicate vulnerabilities (see ISO 27002 Control 8.28).
  10. Document any prevailing or future licensing requirements (see ISO 27002 Control 8.30).

Supporting ISO 27002 Controls

  • ISO 27002 5.8
  • ISO 27002 8.4
  • ISO 27002 8.9
  • ISO 27002 8.27
  • ISO 27002 8.28
  • ISO 27002 8.30
  • ISO 27002 8.31

See ISMS.online
in action

Book a tailored hands-on session
based on your needs and goals
Book your demo

We’re cost-effective and quick

Discover how that will boost your ROI
Get your quote

ISO 27701 Clause 6.11.2.5 (Secure Development Environment) and EU GDPR Article 25 (1)

Organisational system should be designed, documented, implemented and maintained with privacy protection in mind:

Engineering principles should analyse:

  • A broad range of security controls that are required to protect PII against specific and generalised threats.
  • How well-equipped security controls are to deal with major security events.
  • Targeted controls that are distinct to individual business processes.
  • Where on the network and how security controls should be implemented.
  • How various controls work in harmony with one another.

Engineering principles should take into account:

  1. Architectural integration.
  2. Technical security measures (encryption, IAM, DAM etc.)
  3. How well equipped the organisation is to implement and maintain the chosen solution.
  4. Industry best-practice guidelines.

Secure systems engineering should encompass:

  • Well-established industry-standard architectural principles.
  • A wide-ranging design review that pinpoints vulnerabilities and helps to form an end-to-end approach to adherence.
  • Full disclosure of any security controls that do not meet the expected requirements.
  • System hardening.

Organisation’s should default towards a ‘zero trust’ approach to security.

Where the organisation outsources development to third-party organisations, efforts should be made to ensure that the partner’s security principles are aligned with the organisation’s own.

Supporting ISO 27002 Controls

  • ISO 27002 5.15
  • ISO 27002 5.18
  • ISO 27002 8.2
  • ISO 27002 8.5

ISO 27701 Clause 7.4.2 (Limit Processing) and EU GDPR Article 25 (2)

Organisations should also only process PII if it is relevant, proportional and necessary to fulfil a stated purpose, including:

  1. Disclosure.
  2. Storage.
  3. Accessibility.

Supporting ISO 27701 Clauses and ISO 27002 Controls

GDPR ArticleISO 27701 ClauseISO 27002 Controls
EU GDPR Article 25 (3)ISO 27701 5.2.1None
EU GDPR Article 25 (1)(f)ISO 27701 6.10.2.4ISO 27002 5.31
ISO 27002 5.32
ISO 27002 5.33
ISO 27002 5.34
EU GDPR Article 25 (1)ISO 27701 6.11.2.1ISO 27002 5.8
ISO 27002 8.4
ISO 27002 8.9
ISO 27002 8.27
ISO 27002 8.28
ISO 27002 8.30
ISO 27002 8.31
EU GDPR Article 25 (1)ISO 27701 6.11.2.5ISO 27002 5.15
ISO 27002 5.18
ISO 27002 8.2
ISO 27002 8.5
EU GDPR Article 25 (2)ISO 27701 7.4.2None

How ISMS.online Helps

We provide you with a pre-built environment where you can describe and demonstrate how you protect the data of your European and UK customers.

The ISMS.online platform has built-in guidance at each step combined with our ‘Adopt, Adapt, Add’ implementation approach so the effort required to demonstrate your approach to GDPR is substantially reduced.

You will also benefit from a range of powerful time-saving features.

  • ROPA made easy
  • Assessment templates
  • A secure space for DRR (Data Subject Rights Requests)
  • Breach management

Find out more by booking a short 30 minute demo.

Discover our platform

Book a tailored hands-on session
based on your needs and goals
Book your demo

Simple. Secure. Sustainable.

See our platform in action with a tailored hands-on session based on your needs and goals.

Book your demo
img

Explore ISMS.online's platform with a self-guided tour - Start Now