The Ultimate Manual To GDPR Article 25

The fact that businesses can face fines up to $22.07 million or 4% of their annual global revenues, whichever is higher, has also sent companies scurrying to come into GDPR compliance—or at least make a genuine attempt to comply with the regulations.

But going through the official legal text will only end up glazing your eyes with the sheer number of dense legal jargon terms filling the document.

Don’t worry. Today, we’ll translate one of the most important chapters of GDPR, Article 25, to make it easier for you to understand and implement.

What is GDPR Article 25 Anyway?

Article 25 of the GDPR wants you to consider data protection and security risks before you do anything. According to its requirements, you shouldn’t collect any more data than you need, and whatever data you do collect, you should pseudonymize.

Below, we’ll show you what the legal text says about Article 25, along with an easy-to-understand explanation so that your brain doesn’t get repulsed by the legalese.

Note: Before getting into the nitty-gritty, you should know what a controller is to make it easier for you to follow the text. Controllers are individuals or entities that determine the purpose and means of processing personal data either alone or in association with others.

Now, let’s break down the different clauses.

1) Taking into account the state of the art, the cost of implementation and the nature, scope, context and purposes of processing as well as the risks of varying likelihood and severity for rights and freedoms of natural persons posed by the processing, the controller shall, both at the time of the determination of the means for processing and at the time of the processing itself, implement appropriate technical and organisational measures, such as pseudonymisation, which are designed to implement data-protection principles, such as data minimisation, in an effective manner and to integrate the necessary safeguards into the processing in order to meet the requirements of this Regulation and protect the rights of data subjects.

Article 25(1) specifies the requirement for data protection by design.

It requires the controller to implement appropriate technical and organizational measures to effectively implement data protection principles. The controller is also responsible for integrating the necessary safeguards into the processing to protect the rights of data subjects. In other words, the controller is responsible for the design and implementation of their company’s data protection.

2) The controller shall implement appropriate technical and organisational measures for ensuring that, by default, only personal data which are necessary for each specific purpose of the processing are processed. That obligation applies to the amount of personal data collected, the extent of their processing, the period of their storage and their accessibility. In particular, such measures shall ensure that by default personal data are not made accessible without the individual’s intervention to an indefinite number of natural persons.

Article 25(2) specifies the requirement for data protection by default.

It requires the controller to implement appropriate technical and organizational measures so that only personal data that’s necessary for a specific purpose is processed by default. This obligation extends to all the collected data, the extent of processing, the storage period, and the accessibility of the stored personal data.

3) An approved certification mechanism pursuant to Article 42 may be used as an element to demonstrate compliance with the requirements set out in paragraphs 1 and 2 of this Article.

Article 25(3) states that if the controller adheres to an approved certification under Article 42, they can use this certification as a way of demonstrating compliance with the above requirements.

How GDPR Article 25 Works

Article 25 has two key principles—privacy by design and privacy by default—that underlie the entire GDPR.

For instance, Article 5(1) requires data processing to be limited to what is absolutely necessary given the purpose for which the data is collected (privacy by design) and be limited to only those who need to access the data (privacy by default).

Similarly, Article 32(1)(b) outlines businesses to consider the ongoing confidentiality, integrity, and availability of processing systems and services.

Despite the mandatory pseudonymization and data minimization technical measures, Article 25 allows controllers to determine which additional technical measures to take based on their respective data security and privacy requirements.

While they do have flexibility in that aspect, the controller has to follow certain organizational and technical strategies to comply with Article 25.

Here’s a rundown of what these strategies can include:

Organizational Strategies

  • Anonymizing or pseudonymizing data by not copying production databases for development, testing, or analytics.
  • Avoiding storing spreadsheets and other data sources in a local folder or in cloud-based storage applications (Eg: Dropbox, OneDrive, Google Drive, etc.).
  • Making encryption necessary for emails containing identifiable personal data.
  • Restricting email archive access to privileged users and monitoring their activity regularly.
  • Creating and implementing policies about bringing your own devices to see secured data.
  • Protecting personal data at rest, in motion, and in use using an existing database format.
  • Performing security activities like training staff, carrying out internal audits of processing activities, reviewing policies, and documentation of compliance.

Technical Strategies

  • Having ethical walls: Maintaining strict separation between business groups to comply with M&A requirements, government clearance, and so on.
  • Data masking: Anonymizing data via encryption/hashing, generalization, etc. Here, all the sensitive data is replaced by fictional yet realistic data in a bid to maintain operational and statistical accuracy.
  • User rights management: Identifying excessive, inappropriate, or unused, and unnecessary privileges.
  • Privileged user monitoring (PUM): Monitoring privileged user databases access and activities, and blocking any suspicious access or activity, if needed.
  • User tracking: Mapping web application end-user to the shared application/database user to the final data accessed.
  • VIP data privacy: Maintaining strict access control on critical data, such as data stored in multi-tier enterprise applications like SAP.

Example #1: Pseudonymization to Implement Data Protection by Design

You can replace personally identifiable material with artificial identifiers–this is what pseudonymization means. To boost the level of security further, encrypt messages and emails in a way that only authorized people can read them.

Example #2: Ensuring Limited Access to Implement Data Protection by Default

Social media platforms should be encouraged to set user profile settings in the most privacy-friendly settings. For instance, accessibility to every user’s profile on a social media channel should be limited from the very beginning so that it isn’t accessible by default to just anyone.

How to Get Started With GDPR Article 25

Article 25 of GDPR is formulated to prepare companies considering data privacy and data protection in every aspect of their business, ranging from product development to operations to rendering services.

To get started, you only need to remember and implement the three clauses of Article 25. Here’s a step-by-step rundown of how you can comply with the requirements of this specific GDPR chapter:

Step 1: Understand What to Do

You must set up appropriate technical and organizational measures to implement data protection principles while safeguarding individual rights. Since there is no one-size-fits-all solution or method, you’ll have to select a set of measures based on your unique circumstances.

The important thing here is to consider data protection issues from the beginning of any processing activity. You can then adopt appropriate policies and measures that meet the requirements of data protection by design and by default.

Below are a few examples of how you can do this:

  • Ensuring complete transparency with regard to functions and processing of personal data
  • Minimizing the processing of personal data
  • Prompt pseudonymization of personal data
  • Creating and improving security features
  • Allowing individuals to monitor the processing of personal data

Remember, this isn’t an exhaustive list. There are so many other measures to comply with data protection by design and default. So keep analyzing and improving to figure out what works best for you.

Step Two: Understand When to Do It

For implementing data protection by design, you have to start at the initial phase of any system, service, product, or process.

You can begin by considering your intended processing activities, the risk to individuals, and the possible measures you can take to comply with the data protection principles, and what you can do to protect individual rights. These considerations should include the following:

  • The costs of implementation of any measures
  • The nature, scope, context, and purpose of your processing
  • The risks your processing poses to the rights and freedoms of data subjects

Think of it as an information risk assessment for your security measures.

You can then take these considerations and move onto the next step, where you implement the data protection principles by applying actual technical and organizational measures and integrating safeguards into your processing.

It’s due to this why there’s no standard or uniform solution or process that you could potentially apply to every organization or processing activity. That said, you can apply measures:

  • When you are at the design phase of any processing activity
  • During the life-cycle of your processing activity

Step 3: Understand How to Put It Into Practice

You have to develop a set of actionable and practical guidelines for your organization, framed by your assessment of the posed risks and measures you can take.

Putting these concepts into practice, though, will depend on your respective circumstances—who you are, what you do, what resources you have available, and the nature of the data you process.

Of course, whatever organizational approach you take should achieve specific outcomes. To ensure this, you can:

  • Consider data protection issues as part of the design and implementation of systems, services, business practices, and products
  • Make data protection an essential component of the core functionality of your processing systems and services
  • Process only the necessary personal data in relation to your purpose, and make sure you use it for that purpose only
  • Adopt a ‘plain language’ policy for public documents so that individuals can understand what you plan on doing with their personal data
  • Make the identity and contact information of those responsible for data protection public so it’s freely available to individuals as well as within your organization
  • Give individuals tools that help them understand how you’re using their personal data, and whether you’re enforcing your policies properly
  • Offer strong privacy defaults, user-friendly options and controls, and respect user preferences