New guidelines on security of processing and data protection by design and by default


The guidelines will help authorities and the private sector to understand the requirements on security of processing and data protection in the General Data Protection Regulation (GDPR). The guidelines review the two provisions in the GDPR and the requirements these entail. Furthermore, it introduces a large number of examples of technical and organisational security measures that can be implemented to ensure compliance with the GDPR.

The guidelines are divided into two parts. Security of processing is dealt with in the first part, and data protection by design and by default is covered in the second part.

Since the General Data Protection Regulation has entered into force, its rules must be complied with by the data controller (the natural or legal person who determines the purpose and means of processing personal data) and the data processor (the natural or legal person which processes the personal data). Therefore, it is crucial that those who process and work with data implement adequate security of processing procedures. Security of processing is regulated in Article 32 of the GDPR, and in general it requires the person responsible for data processing, whether it be the data controller or the data processor, to implement an appropriate level of security for the data processing carried out.

In addition to appropriate security of processing, it is also important that the controller comply with the requirements in the GDPR on data protection by design and by default (Article 25 of the GDPR). 

Part 1 of the guidelines

Requirements for security

This section contains a description of the requirements for security of processing and then reviews the responsibility for processing as well as protection of personal data. Among other things, security of processing entails ensuring that unauthorised persons do not have access to the data.

Part 2 of the guidelines

This section describes data protection by design and data protection by default.

Data protection by design

Data protection “by design" means incorporating data protection at an early stage in the development of the digital system. Thus, from the time of the determination of the means for processing, the data controller should implement appropriate technical and organisational measures in order to ensure effective implementation of the fundamental data-protection principles.

Data protection by default

Data protection by default is about activating compulsory data protection for ICT technical settings and organisational procedures. The data controller should therefore ensure, that only the personal data that is necessary for each specific purpose of the processing, is processed.

Primary considerations

The guidelines have been drawn up on the basis of two primary considerations. The first of these is on the basis of a desire to reflect the practical reality within which businesses and public authorities are operating. The second is a natural interplay between, on the one hand, the requirements of the GDPR and, on the other hand, data protection by design and by default.

Read the guidelines in Danish here.