The General Data Protection Regulation (GDPR) brought plenty of innovations in the data protection legal landscape, many benefits for privacy-conscious consumers, and just as many obligations for EU (and non-EU) businesses.

Data protection by design and data protection by default are two good examples of such news introduced by the GDPR – and of the perks that their implementation creates for people, as well as the requirements it places on companies.

Would you like to master these concepts? Keep reading and learn more!


What is data protection by design?

Data protection by design is a GDPR principle requiring that any action a company takes involving the processing of personal data be done with data protection and privacy in mind at every step.

Whenever a data controller initiates internal projects, product development, IT systems implementation, they must ensure that the necessary safeguards are in place to meet GDPR requirements and protect the rights of data subjects.

These safeguards are defined by the GDPR as appropriate technical and organizational measures. Examples are the use of:

  • encryption (encoding messages so only those authorized can read them).
  • pseudonymization (replacing personally identifiable information with data that cannot be attributed to a specific data subject without the use of separately kept additional information). It’s worth to point out here that recently (in June 2021) pseudonymization was highlighted by the European Data Protection Board (EDPB) and the European Commission as the state-of-the-art technical supplementary measure for the ongoing lawful transfer of personal data to third countries under the “Schrems II” ruling by the Court of Justice of the European Union (CJEU).

The actual application of the data protection by design principle minimizes privacy risks and increases trust by placing data protection at the forefront of developing new goods or services. As a result, this principle helps avoid any possible data protection issues at an early stage and raise awareness about data protection across all departments and levels of a company.


What is data protection by default?

Data protection by default is a GDPR principle requiring that companies always make the most privacy-friendly settings as the default settings.

For instance, once a product or service is released to the public, the strictest privacy settings should be applied by default, without any manual input from the end-user. If two privacy settings are possible and one of them prevents personal data from being accessed by others, this should be used as the default setting.

The data protection by default principle also applies to data processing. The data controller must ensure that, by default, only personal data necessary for each specific purpose of the processing is processed. The same obligation applies to the amount of personal data collected, the extent of their processing, their storage period, and their accessibility.


Does Penneo comply with the data protection by design and by default principles?

At Penneo, we have heartily embedded these two new GDPR principles in our operational systems, embraced GDPR, and today our starting point for everything we do is to acknowledge our responsibility to protect our customers’ privacy.

We have implemented appropriate technical and organizational measures to prevent and mitigate vulnerabilities, breaches, and leaks while promoting a stronger awareness of information security and data protection within our organization.

The GDPR (art. 32) also requires the implementation of technical and organizational measures that ensure a level of data security appropriate for the level of risk presented by processing personal data. In order to meet this requirement:

  • Penneo’s IT governance is framed on ISO/IEC 27001 (2013).
  • We implemented the technical and organizational measures that allow pseudonymization and encryption of personal data while maintaining ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
  • Penneo receives a yearly ISAE 3000 report attesting to the effectiveness of our security measures and their alignment with the Trust Service Criteria (TSC). Thus, our customers can be confident that their data is handled following best safety practices regarding data security, availability, integrity, confidentiality, and privacy.
  • We regularly test, assess, and evaluate the effectiveness of our technical and organizational measures as part of our risk-based security management framework.
  • Our IT systems, websites, and all the customer data we hold are backed up in data centers located in the EU (Germany and Ireland). On no occasion is any data ever transferred outside the EU. Penneo is, therefore, not affected by the Privacy Shield Invalidation – and the same goes for you if you only handle your documents via Penneo.


How Penneo can help you comply with GDPR

When using Penneo, it’s up to the individual customer to configure the security level for accessing and managing documents, but we always advise our users to choose the strictest settings applicable to the specific use case. In the most stringent case, all access to customer data is restricted using multi-factor authentication, and data is always transmitted relying on end-to-end encrypted channels.

Would you like to find out more about how we can help you meet the data protection requirements? Reach out to us, or get started today for free!



If you're looking to learn more, we have a few suggestions for you

What is the GDPR?

What Is the GDPR & What Does It Mean for Your Business?

The 6 lawful bases for data processing under the GDPR

6 Lawful Bases for Data Processing Under the GDPR

GDPR compliance

7 Steps to Ensure GDPR Compliance