Companies must use software with built-in, default privacy settings to comply with European law, according to guidance from bloc’s data protection board.
Data anonymization and minimization should be standard in software for personal data processing, even in systems that pre-date the 2018 General Data Protection Regulation, the board said in guidance released Thursday.
The built-in, default privacy settings are “absolutely essential” to ensure the security of personal data, said Veronica Jarnskjold Buer, specialist director at the Norwegian Data Protection Authority and a member of the team that formulated the guidelines.
“Under the GDPR, this is a mandatory requirement,” Jarnskjold Buer said. “Pre-GDPR, it had been voluntary.”
The European Data Protection Board guidance is the result of two years of work in defining best practices under the GDPR’s Article 25. That article mandates the use of so-called Data Protection by Design and Default, or DPbDD, Norway’s agency said.
Software development teams are “key people” and should aim to demonstrate DPbDD compliance in the lifecycle of their product, Jarnskjold Buer said. “It is important that developers and suppliers understand their obligations.”
There have been significant changes in the updated guidance compared with an earlier version, said London-based Bird & Bird Attorney Matthew Buckwell.
“The guidelines make it clear that legacy systems are clearly in scope in the same way as new systems, and if the legacy system does not meet GDPR obligations then it cannot be used to process personal data,” Buckwell said.
Legacy systems may be the “key risk” companies face in possibly violating the landmark privacy law, he said. The changes may “add considerable cost for companies that rely on older, integrated systems that are not easily updated or removed.”