One of the requirements of the GDPR is privacy and security by design. Even now, a few months after the enforcement of the Regulation, there is still uncertainty about how to implement privacy by design. One of the reasons for this is the fact that the law does not specifically require certain security methods to be used. There are certain methods suggested like pseudonymisation, encryption or anonymisation, but ultimately “the controller and the processor shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk” (Art. 32 (1))

This means an organization should consider not just the state of the art as the newest method is not always necessary, but also the type, scope, purpose and circumstances of the processing.

Until the GDPR, many saw security and privacy like one of the final layers of their product. However, the principle “privacy by design” underlines the fact that this approach is wrong and privacy should be considered from the early stages of product development. Security methods to consider include, but are not limited to, encryption, pseudonymization and, where possible, anonymization.


Articles: 25

Recitals: 78