Article 25 of the GDPR sets out two ways by which a controller can protect the data of the data subjects. One way is by design and the other way is by default.
Design would mean implementing various technological and organizational measures which can protect the rights of data subjects. These measures can include the following:
-pseudonymisation
-data minimization
-transparency
-monitoring of data processing
-security features
The above list is not exhaustive and the measures must be implemented after taking into account various factors such as the cost of the implementation, the latest technology available to protect the data of the data subjects, the risks associated with the processing of the data, the nature, scope, context and purpose of processing.
The measures must be implemented at the initial stage when the means of processing is being decided and also at the time of the processing.
Data protection by default would mean that the measures implemented ensure that only relevant data is captured and only upto the purpose of the processing. No such data shall be processed that is beyond the scope and purpose of the processing. This measure puts in place the principles of the GDPR and mitigates the risk when data in any eventuality is breached.
Finally, to demonstrate that the controller is in compliance with Article 25 shall utilise a certification mechanism as embodied in Article 42.
The GDPR places the onus of data protection on the controller. It is a humongous responsibility that the controller must fulfill to avoid any kind of risk to the data of the data subjects and instill confidence in their mind.
References: