In the aftermath of large-scale data breaches and illegal processing of personal data, it has become apparent that data protection legal obligations need to be backed-up by robust technological protection measures. The principles of data protection by design and default, as enshrined in GDPR, can broadly support this approach, however the practical implementation of these principles are far from advanced. Software developers lack best practice examples, while data controllers struggle to select the appropriate solutions for their processing operations in a market flooding with software of disputable quality. In the light of new technological challenges, such as advanced tracking techniques and autonomous agents, the aim of the panel is to discuss how technology can be shaped around GDPR requirements and focus on specific best (and bad) practices in the field.
• What is the role of pseudonynisation in GDPR?
• Are there ‘good’ and ‘bad’ pseydonymisation practices?
• What is the role of cryptographic mechanisms in data protection by design?
• Which technologies can help implement data minimisation?
• Who should determine the default settings and how?
• Can valid consent be obtained via default device settings?