Data Protection by Design and by Default in the Post-Covid World


  • Liane Colonna


  • Cecilia Magnusson Sjöberg
  • Athena Bourka
  • Achim Klabunde
  • Veronica Buer

Organisation: IRI (Swedish Research Institute)

Room: Online 2

Timing: 11:45 - 13:00 on 27 January 2021

Data Protection by Design and by Default (DPbDD) refers to the design and existence of embedded measures and safeguards and mechanisms that effectively protect thepersonal data protections principles, the rights and the freedoms of the data subject to data protection throughout the processing lifecycle of an application, service or product. In many ways, DPbDD can be seen as the sleeping giant of the GDPR: the entire burden of compliance hinges on this article where the data controller must design appropriate technological and organizational measures to address not just the core data protection principles listed in Article 5 but also the rights and the freedoms of the data subject and the requirements of the GDPR in general. This panel will consider the scope and enforcement of Article 25, particularly in the context of the pandemic and inthe post-pandemic context. The discussion will cover issues including:

• What are the specific roles, responsibilities and liabilities of controllers, processors, hardware and software providers etc. when it comes to implementing this legal requirement?
• What does the concept of “the state of the art” mean and, who should be responsible for driving it?
• How should controllers demonstrate the effectiveness of a safeguard or measure?
• What is the relationship between AI and DPbDD?


Liane Colonna

The Swedish Law and Informatics Research Institute (IRI)(SE)

Liane is currently employed as a post-doctoral researcher at the The Swedish Law and Informatics Research Institute (IRI) where she is performing research in the PAAL Project, a European Union – Horizon 2020 program. This project seeks to build privacy aware lifelogging tools for older and frailer individuals in order to support their health, wellness, and independence. Liane is also a Co-Principal Investigator (PI) of a Marie Skłodowska-Curie Actions Innovative Training Network entitled Privacy-Aware and Acceptable Video-Based Technologies and Services for Active and Assisted Living (“visual”). Furthermore, she is the Action Vice Chair of the COST Action entitled “Network on Privacy-Aware Audio- and Video-Based Applications for Active and Assisted Living”.


Cecilia Magnusson Sjöberg

Stockholm University (SE)

Professor Cecilia Magnusson Sjöberg is Subject Director of Law & Informatics at Stockholm University. She was awarded a LL.D. degree in 1992, with a doctoral thesis about legal automation. In addition to substantive components of IT law, e.g. concerning privacy and information security; she has had many years of experience of legal system design and management. In addition to a wide variety of research projects nationally, within EU and internationally addressing the interplay between law and modern technologies, she is engaged by the Swedish government chairing and participating in public inquires about e.g. legal aspects of e-government and AI.

Athena Bourka

European Union Agency for Cybersecurity (ENISA) (EU)

Athena Bourka is a Network and Information Security Expert in the European Union Agency for Network and Information Security (ENISA) on the areas of data security, privacy and trust. She is also the ENISA’s Data Protection Officer. Before joining ENISA, Athena had been working for over 10 years as a privacy and security expert in the Hellenic Data Protection Authority and the European Data Protection Supervisor (seconded national expert). Athena has also worked in the past in the areas of healthcare data security and environmental information systems and networks. She has studied electrical and computer engineering and holds a PhD on information security.

Achim Klabunde


Achim Klabunde is the Advisor on Technology and Data Protection to the European Data Protection Supervisor. He provides the supervisor with expertise on the impact of existing and emerging technologies on the fundamental rights of individuals. Achim graduated from Bonn University in computer science. His experience covers software projects in the private sector as well as technology policy and regulation in the public sector. Achim acts as one of the co-chairs of the Working Group on AI, Ethics and Data protection of the Global Privacy Assembly, the organisation composed of data protection and privacy commissioners worldwide.

Veronica Buer

Norwegian Data Protection Authority (NO)

Veronica Jarnskjold Buer is Specialist Director in digitalisation and DPbDD at the Norwegian Data Protection Authority and has a Cand.Scient degree within data and information security. She has more than 25 years’ experience from both private and public sector. Her focus is on research, software development, data protection by design and by default, risk assessments and Data Protection Impact Assessment (DPIA). Her experience: IT manager of a municipality, Head of Security for the National Police of Norway, Chief information security officer (CISO) in Central Bank of Norway, Director in Norwegian NSA, Cyber Security Leader in Capgemini.