Can the data protection by design process be carried out after a system has already been implemented?
ANSWER
Please carry out your work, i.e., conduct the data protection by design process. As I indicated in the response to question number 1, you should do this by analysing the following elements operating within the new IT tool:
- Personal data protection principles (Art. 5 GDPR).
- Rights of data subjects (Arts. 12–22 GDPR).
- Freedoms of data subjects (risk analysis).
The results of your work (in particular the risk analysis) should be submitted to senior management, who should make a decision on the course of action in the event that risks are identified that fall outside the tolerance range (which is possible due to personal data protection not having been taken into account in the design phase).
I would also like to quote in this regard EDPB Guideline 4/2019: Early incorporation of data protection by design and data protection by default is of key importance for the successful implementation of principles and the protection of data subjects' rights. Moreover, from a cost-benefit perspective, it is in the controller's interest to address this matter sooner, as making changes to existing plans and already-designed processing operations could prove difficult and costly.
