Why care about Personal Data Protection by Design: Deutsche Wohnen case

Category

Research

Published

June 28, 2024

What is personal data protection by design?

Personal data protection by design (privacy by design) is one of the core demands of GDPR (Article 25) relevant to the software engineering and IT industry. In a nutshell, this article states that companies obtaining personal data from users and processing it (a.k.a. personal data controllers) shall implement the required technical and organizational measures for GDPR compliance while designing their products and services. Privacy by design essentially makes organizations responsible for non-compliance of software-intensive products and services that they use. In other words, if your system is designed and/or functions in a way that is non-compliant with GDPR, in many cases, it automatically means that your organization breaches GDPR.

Privacy by design is important to consider in light of the principle of accountability (Article 5), stating that data controllers are responsible for demonstrating the implementation of compliance. Essentially, it means that the inability to demonstrate compliance can also be considered non-compliance to GDPR demands. These two articles (25 and 5) establish the basis of the responsibility of IT and software development teams in any organization regarding the GDPR. However, implementation of these principles in practice can be challenging, and non-compliance can result in significant fines.

The Case of Deutsche Wohnen

One example of a breach of the principle of privacy by design is a fine of 14 million euros imposed on Deutsche Wohnung in 2019. While the court case contesting the fine is still considered in courts, it constitutes a good example to consider.

The follow-up inspection conducted in March 2019 found that previously identified violations were not addressed, and only preliminary preparations to do that were completed. Deutsche Wohnen informed the Commissioner that the electronic filing system in question had already been decommissioned and that the data would be imminently migrated to the new storage system. Nevertheless, the Commissioner considered that to be a violation and, in October 2019, imposed a fine of 14.5 million euros against the company for an infringement of Article 25 (1) GDPR and Article 5 GDPR.

The follow-up inspection conducted in March 2019 found that previously identified violations were not addressed, and only preliminary preparations to do that were completed. Deutsche Wohnen informed the Commissioner that the electronic filing system in question had already been decommissioned and that the data would be migrated to the new storage system immediately. Nevertheless, the Commissioner considered that to be a violation and, in October 2019, imposed a fine of 14.5 million euros against the company for an infringement of Article 25 (1) GDPR and Article 5 GDPR.

Further court proceedings confirmed that organizations can be fined directly for GDPR violations without establishing the responsibility of concrete employees. This decision essentially confirmed that companies can be held accountable for GDPR violations in software products and services that they use.

Technical Takeaways

As the case of Deutsche Wohnen shows, embedding technical measures in the design of your system is a cornerstone  of GDPR compliance. While organizations can implement organizational measures like policies to make their employees manually delete personal data, these measures are not reliable enough to guarantee compliance. Nobody would like to discover that their responsible employees reported the deletion of personal data, but the data was not physically deleted from storage. This can happen not only as a result of employees’ negligence but also the complexity of systems. Implementation of technical controls by design can help organisations minimize the required manual efforts and streamline compliance.

The basis for the implementation of GDPR compliance measures, by design, is to make sure you can specify system requirements deriving from GDPR and have an understanding of the components of your system that need to be changed or introduced. Requirements engineering methods play a key role here, by establishing traceability to the text of GDPR, making sure that legal experts can be involved in validating compliance, and finally providing evidence of compliance. In the case of Deutsche Wohnen, it was essential to identify the requirement for any data storage, including archive systems, to have data deletion measures implemented.

Good architecture plays a key role in the effective implementation of such system requirements deriving from GDPR. For example, the flexibility of architecture could help Deutsche Wohnen to address GDPR violations immediately and implement data deletion functionality, rather than continue to be non-compliant and risk fines. Established architectural practices should help easily and effectively implement the required changes.

Such architectural practices should be underpinned by the management of software engineering assets and artifacts applied for the development of GDPR-compliant architecture. For example, managing requirements artifacts, compliance documentation, architectural patterns, and ways of working for the implementation of the architecture are some of the measures which can be applied.

Good architecture can also enable the separation and appropriate management of regulatory concerns. Thus, both minimizing the impact of regulations on software products and reducing the probability of non-compliance.

Conclusion

Violation of personal data protection by design (a.k.a. privacy by design) is one of the core technical reasons for digitalized organizations to be non-compliant with GDPR. Fines for the violation can reach up to 10,000,000 EUR, or up to 2 % of the total worldwide annual turnover. Implementation of privacy by design in practice demands appropriate requirements for engineering methods and architectural practices. These will not only help to achieve compliance but also improve the quality of software-intensive products and services and their value for end users.

Requirements engineering for the development of architecture for GDPR compliance is one of the ongoing tracks of collaboration between Redeploy and BTH.

Sources:

Written by

Oleksandr Kosenkov