The AEPD Privacy Guide is now available, to ensure data protection criteria are included in the design of healthcare products and services

The AEPD Privacy Guide is now available, to ensure data protection criteria are included in the design of healthcare products and services

The Agència Espanyola de Protecció de Dades [Spanish Data Protection Agency] (AEPD) recently published its Guia de Privacitat des del disseny [Guide to Privacy by Design] in order to provide guidelines to ensure that data protection principles and privacy requirements are built into new products and services right from the design stage. The Guide is addressed to managers and other stakeholders involved in processing personal data, such as healthcare and service providers, product and app developers and device manufacturers.


Although the concept of privacy by design was accepted during the 32nd International Conference of Data Protection and Privacy Commissioners, it wasn’t until the General Regulation for Data Protection (GDPR) made it a legal requirement, by incorporating into article 25, that the practice of taking privacy requirements into account from the early stages of the design of products and services was enshrined in law. The purpose of privacy by design is that data protection is considered from the very beginning of any new developments and are not seen as an afterthought once the product is finished, since it is intended to be an integral part of the (hardware or software) product, system, service or process.


The Guide outlines the concept and principles behind privacy by design, as well as the requirements which any product or service must meet in order to guarantee said privacy. It also  analyses the concept of privacy engineering, a process which aims to translate the principles of privacy by design into concrete measures, both in the conception phase of the product or service and during the development phase. It also addresses the different privacy design strategies, some of which are oriented to data processing (minimize, hide, separate, and abstract) while others are aimed at defining processes for the responsible management of personal data (inform, control, fulfil and demonstrate). The guide also dedicates a section to classifying Privacy Enhancing Technologies (PETS), as well as other aspects. Finally, the AEPD makes it clear in its Guide that ensuring privacy and establishing a framework which guarantees data protection does not pose an obstacle to innovation, instead it offers advantages and opportunities for both organizations, the market and society as a whole. It also reminds us that privacy by design is the responsibility of those in charge, whatever form the development, acquisition or subcontracting of the system, product or service takes, and they cannot completely delegate this responsibility to device manufacturers or subordinates.


In these cases, the Data Protection Officer (DPO) plays a key role in the implementation of this strategy, advising the person responsible for processing the data and supervising compliance with data protection regulations within the organization. It is also a means to implement the privacy management models proposed by the recent ISO/IEC 27701: 2019 standard which specifies the requirements and provides guidance on how to establish, implement, maintain and continuously improve a Privacy Information Management System (PIMS).


For more information please see the Practical Guide to assessing the impact of data protection and the template for assessing the impact of data protection at the following link.

Butlletí Flash TICSS

Subscriu-te i rep cada mes novetats i notícies al teu email